Attackers Sending IRS Phishing Emails to Install Emotett Malware

GAGANDEEP SINGH 29-March-2023

[{"selector":"#anim-a98a79bb-ab26-49ed-ba26-885908eb4bf8","keyframes":{"opacity":[0,1]},"delay":0,"duration":2000,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-3ffb804a-e142-4593-8bea-bb24d20d99de","keyframes":{"transform":["translate3d(-121.875%, 0px, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-9f97e39b-33c4-4bb1-b553-988844322270 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(-12.514648210040342%, 0, 0)","translate3d(0%, 0, 0)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"both"}] Security researchers at Malwarebytes and Palo Alto Networks unit 42 discovered a new malware.

[{"selector":"#anim-06505b9c-ce40-4f82-ac44-0eeff5a3fe90","keyframes":{"opacity":[0,1]},"delay":0,"duration":2000,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-6b5be1aa-1e66-43bd-9aec-7d463f92fdf2","keyframes":{"transform":["translate3d(-121.875%, 0px, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] The malware named Emotet targets users with phishing emails containing fake W-9 tax form attachments.

[{"selector":"#anim-913d9c2c-f9db-411b-a6f6-7a858035a5da","keyframes":{"opacity":[0,1]},"delay":0,"duration":2000,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-291926aa-f6ad-412e-ad03-782612d85015","keyframes":{"transform":["translate3d(-121.875%, 0px, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-1dcdc844-622d-4f0a-9b49-b7779271bf18 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(-6.048701294209916%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}] The attackers use this malware to coincide with the holidays and the yearly tax returns, i.e., The US tax season.

[{"selector":"#anim-10bc77aa-fa75-41d4-a696-6e245356f2ed","keyframes":{"opacity":[0,1]},"delay":0,"duration":2000,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-d522110e-6d12-4f2e-a4c6-d0ea2e800904","keyframes":{"transform":["translate3d(-121.875%, 0px, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-21ae073e-c6b0-4ddf-aba1-7b8a11c11e86 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(-31.249999886225726%, 0, 0)","translate3d(0%, 0, 0)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"both"}] The attackers send emails with the Form while impersonating an authority from Internal Renew Service.

[{"selector":"#anim-7ffe2b86-062e-4b3f-82c1-9fc9c58fcb2c","keyframes":{"opacity":[0,1]},"delay":0,"duration":2000,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-99856333-f706-4c98-a296-6ca41ca6e7e6","keyframes":{"transform":["translate3d(-121.875%, 0px, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] Phishing emails have a ZIP archive named W-9 form.zip which contains a malicious word document.

[{"selector":"#anim-1acc1cb1-7018-4573-9f81-a8ab39d05843","keyframes":{"opacity":[0,1]},"delay":0,"duration":2000,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-dee1ceda-f9f1-4843-9d29-a782983d2b62","keyframes":{"transform":["translate3d(-121.875%, 0px, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-14d211f5-ed5b-421e-8793-c0751cc9aead [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(-37.690485074981936%, 0, 0)","translate3d(0%, 0, 0)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"both"}] Once installed, it start stealing the victim’s email for future replay chain attacks and then spam emails.

[{"selector":"#anim-98f84a23-575c-4a1a-8adf-15166cfcdb04","keyframes":{"opacity":[0,1]},"delay":0,"duration":2000,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-d47b26b8-e3b0-48c3-81cd-a82ba2bdf83e","keyframes":{"transform":["translate3d(-121.875%, 0px, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] The activity utilizes the replay chain e-mail, which pretends to be the business partners sending victims the W-9 form.

[{"selector":"#anim-27647760-e54c-4170-a7f6-d404e213a4a4","keyframes":{"opacity":[0,1]},"delay":0,"duration":2000,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-708a8b8f-80c9-4f32-b573-c5c321486dd1","keyframes":{"transform":["translate3d(-121.875%, 0px, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-be68d4f9-6ff7-4dff-b2ea-18ea35f0fbef [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(0%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}] These forms are sent in PDF attachments, not Word attachments, so avoid opening them.

Attackers Sending IRS Phishing Emails to Install Emotett Malware

Read the full story here.