“Your IRS EFTPS payment rejected” – Emails lead to malware on over 2,500 domains

“Your federal tax payment was rejected”. We imagine that the sight of these words would make even the most security-aware individuals click on anything in sight as they race to resolve this troubling news. In the last 24 hours Commtouch Labs has detected vast quantities of emails that inform recipients of payments that have been rejected by the Electronic Federal Tax Payment System (EFTPS). A sample is shown below: 

Email text:

Your federal Tax payment (ID: ---), recently initiated from your checking account
 was rejected by the The Electronic Federal Tax Payment System. 
Rejected Tax transfer
Tax Transaction ID:                 -----
Rejection Reason                     See details in the report below 
Tax Transaction Report tax_report_58715026253962.pdf.exe (self-extracting archive, Adobe PDF) 
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785

The emails all use “irs.gov” addresses with fake employee names in the “from” field. The image is downloaded directly from the IRS site. We note the neat addition of “self-extracting archive” next to the file name – apparently to allay the fears of users who are wary of opening executable files.

The links lead to any of 2,500 domains (!) that we have tracked related to these emails. All of the domains were registered in the last 48 hours. The destination pages (confusingly) shows a “404 not found” messages which actually hides the script that starts the “PDF” file download. The downloaded filename for this site was: TAX45368001.pdf.exe.

When a user opens the file the malware takes the following actions that seem characteristic of a bot/password stealer:

  • It sets itself up to run on Windows startup
  • Drops 3 files:
    • C:Documents and SettingsuserApplication DataIwabboji.ybe
    • C:Documents and SettingsuserApplication DataQyfewoobx.exe
    • C:DOCUME~1userLOCALS~1Temptmp97e95e58.bat – this file just deletes the original executable.
  • It injects a thread into explorer.exe which downloads an encrypted blob from vesv—-wtytz.biz.
  • It listens on port 27032 for connections.
  • It injects threads into most other running processes.

Commtouch’s Command Antivirus detects this malware as: W32/Heuristic-300!Eldorado.

Users of the EFTPS system are advised to take note of the reminder at the top of the EFTPS page:

Remember! EFTPS values your privacy and security and will never attempt to contact you via e-mail. If you ever receive an e-mail that claims to be from EFTPS or from a sender you do not recognize that mentions a payment made through EFTPS, forward the e-mail to phishing@irs.gov or call the Treasury Inspector General for Tax Administration at 1.800.366.4484