Lesson one: The IRS is a confirmed favorite of spammers, phishers and malware distributors. As an example consider the attacks from the last few weeks that have targeted users of the IRS’s electronic payment portal. This time the attack starts with an email about tax forums to train and serve the tax practitioner community. The content of the fraudulent email is almost the same as the article “IRS Tax Forums Planned for this Summer” from May, 2004 (!). The Cybercriminals have only change the dates and some words to make it more appealing for tax practitioners. The IRS has posted a note about this malware on their website.
The attachment is a blank document file which contains a malformed adobe flash that exploits the recent vulnerability CVE-2011-0611 that was discovered back in April.
The embedded flash contains the following Action Script:
After dumping the shellcode, the URL is visible at the end – this hosts the malware “g.exe” that will be downloaded and executed on the infected computer.
Commtouch’s Command Antivirus detects this malware as: Exploit/WRD.gen.