Analysis byMary Grace Ermitano-Aquino

As tax season continues, so do the rise of the socially-engineered spam campaigns that take advantage of it. The latest we've found and received samples of purports itself to be a refund notification from the Australian Tax Office (ATO). It tells the recipient that they're eligible for a hefty refund, and to avail of that refund they need to open the attached archive and extract the files inside onto their system. As of this writing, we've received more than 6000 related samples of this particular spam campaign, making it one of the more prolific campaigns targeting today's tax season.

The attached archive is verified to contain a malicious file (detected as BKDR_CAPHAW.XQA), and when executed, opens a PDF file while executing its malicious routines. These routines include connecting to malicious URLs in order to receive and perform commands from remote malicious users.
 

Users with systems affected by this particular malware may have the security of their systems compromised. 

As always, we remind users to never open links or attachments that come from unexpected or suspicious senders, especially when they claim to be from official government organizations. Either delete them right away, or verify them with the organization before doing anything else (through official hotlines or in-person consultation). 

Trend Micro security solutions block all elements related to this spam campaign.







 SPAM BLOCKING DATE / TIME: 19 de марта de 2015 GMT-8
 TMASE
  • TMASE Engine: :
  • Patrón TMASE: :AS1410