CPAs Targeted in Malware Attack

September 25, 2013 | by Fred Touchette | AppRiver, blackhole, Bon Jovi, Digital Degenerate, Java, SecureSurf, Zeus

CPA1 resized 600

This morning we're seeing a rash of emails claiming to be from the AICPA or American Institute of Certified Public Accountants. These emails claim that the recipient accountant has been involved with fraudulent tax activity stemming from one of their clients and that a complaint has been filed against them. The email goes on to warn that their license may be revoked if they do not adhere. The email gives a link to what appears to be a PDF file with the formal complaint, instead these links direct the viewer to one of 83 different domains hosting malware.

The initial site presents the victim with the message "Welcome to the AICPA - Redirecting, please wait..." After this the page runs a simple little script that checks to see what operating system the victim is running, and if it's anything other than Windows, it simply redirects them to the actual AICPA site to possibly keep users unaware that this was malware or possibly to remove unnecessary traffic by only sending PCs that have the potential to be vulnerable to their servers. Usually these are hijacked sites and computers so traffic usually isn't a concern for these guys, but regardless, only Windows users get to experience the entire ride.

describe the image

Windows machines then get redirected to the domain children-bicycle[dot]net dressed up to look like AICPA by the addition of AICPA[dot]org as the leading subdomain. Once there, we see classic Blackhole obfuscated Javascript that begins the real infection by downloading several Java style Class files onto the victim machine and leveraging Java vulnerabilities to exploit the machine.

CPA3 resized 600

After the victim machine is infected, the malware begins to exhibit some behaviors of the Zeus family of malware as it begins enumerating processes, adds itself to starup areas, and injects itself into running processes to maintain its foothold.

We've seen roughly a half million of these messages in the past few hours, and in the words of the great poet Jon Bon Jovi, nevermind I can't do it, pun removed. They're blocked.