Jump to content
  • Emotet malware distributed as fake W-9 tax forms from the IRS

    alf9872000

    • 430 views
    • 4 minutes
     Share


    • 430 views
    • 4 minutes

    A new Emotet phishing campaign is targeting U.S. taxpayers by impersonating W-9 tax forms allegedly sent by the Internal Revenue Service and companies you work with.

     

    Emotet is a notorious malware infection distributed through phishing emails that in the past contained Microsoft Word and Excel documents with malicious macros that install the malware.

     

    However, after Microsoft began blocking macros by default in downloaded Office documents, Emotet switched to using Microsoft OneNote files with embedded scripts to install the Emotet malware.

     

    Once Emotet is installed, the malware will steal victims' emails to use in future reply-chain attacks, send further spam emails, and ultimately install other malware that provide initial access to other threat actors, such as ransomware gangs.

    Emotet gears up for the US tax season

    The Emotet malware operations commonly use themed phishing campaigns to coincide with holidays and yearly business activities, such as the current U.S. tax season.

     

    In new phishing campaigns seen by security researchers at Malwarebytes and Palo Alto Networks Unit42, the Emotet malware targets users with emails containing fake W-9 tax form attachments.

     

    In the campaign seen by Malwarebytes, the threat actors send emails titled 'IRS Tax Forms W-9,' while impersonating an 'Inspector' from the Internal Revenue Service.

     

    These phishing emails contain a ZIP archive named 'W-9 form.zip' that contains a malicious Word document. This Word document has been inflated to over 500MB to make it harder for security software to detect it as malicious.

     

    emotet-irs-phishing-email.jpg

    Emotet email impersonating the IRS
    Source: Malwarebytes

     

    However, now that Microsoft is blocking macros by default, users are less likely to go through the trouble of enabling the macros and become infected using malicious Word documents.

     

    macros-blocked.jpg

    Emotet Word Document
    Source: BleepingComputer

     

    In a phishing campaign seen by Brad Duncan of Unit42, the threat actors bypass these restrictions by using Microsoft OneNote documents with embedded VBScript files that install the Emotet malware.

     

    This phishing campaign uses reply-chain emails containing pretending to be from business partners sending you W-9 Forms, as shown below.

     

    reply-chain-sample.jpg

    Emotet reply-chain email with malicious Microsoft OneNote attachments
    Source: Unit42

     

    The attached OneNote documents will pretend to be protected, requesting that you double-click the 'View' button to see the document correctly. However, hidden underneath that View button is a VBScript document that will be launched instead.

     

    malicious-onenote-attachment.jpg

    Malicious Microsoft OneNote file impersonating a W-9 form
    Source: BleepingComputer

     

    When launching the embedded VBScript file, Microsoft OneNote will warn the user that the file may be malicious. Unfortunately, history has shown us that many users ignore these warnings and simply allow the files to run.

     

    Once executed, the VBScript will download the Emotet DLL and run it using regsvr32.exe.

     

    The malware will now quietly run in the background, stealing email, contacts, and waiting for further payloads to install on the device.

     

    If you receive any emails claiming to be W-9 or other tax forms, first scan the documents with your local antivirus software. However, due to the sensitive nature of these forms, it is not suggested that you upload them to cloud-based scanning services like VirusTotal.

     

    Normally, tax forms are distributed as PDF documents and not as Word attachments, so if you receive one, you should avoid opening it and enabling macros.

     

    Finally, it is doubtful that tax forms would ever be sent as OneNote documents, so immediately delete the email and do not open it if you receive one.

     

    As always, the best line of defense is to discard any email from people you do not know, and if you do know them, contact them by phone first to confirm if they sent it.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...