Description
Cisco Security Intelligence Operations has detected significant activity related to spam e-mail messages that claim to contain a copy of a tax form notification related to a tax payment rejection due to an invalid identification number for the recipient. The e-mail message instructs the recipient to open the attachment for additional details. However, the .zip attachment contains a malicious .exe file that, when executed, attempts to infect the system with malicious code.
E-mail messages that are related to this threat (RuleID5340) may contain the following files:
EFTPS_report_1334022012.zip
EFTPS_report_1334022012.exe
The EFTPS_report_1334022012.exe file in the EFTPS_report_1334022012.zip attachment has a file size of 46,080 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x6DDD18FADE610FFEA524C3D883C4F576
The following text is a sample of the e-mail message that is associated with this threat outbreak:
Subject: JUNK: EFTPS: Company Tax Payment Batch Has Been Rejected.
Message Body:
Your Federal Tax Payment ID: 4658879398 has been rejected.
Return Reason Code R225 - The identification number used in the Company Identification Field is not valid. Please, check the
information and refer to Code R966 to get details about your company payment in transaction contacts section:
EFTPS_report_1334022012.pdf (Adobe PDF)
In other way forward information to your accountant adviser.
EFTPS: The Electronic Federal Tax Payment
PLEASE NOTE: Your tax payment is due regardless of EFTPS online availability. In case of an emergency, you can always
make your tax payment by calling the EFTPS.
Source: Cisco