U.S. taxpayers are currently being targeted in a fresh Emotet phishing campaign wherein fake IRS W-9 tax forms are being impersonated as originating from the Internal Revenue Service and companies that the victims work with. Emotet is a well-known malware that spreads through phishing emails containing harmful macros in Microsoft Word and Excel documents, thereby infecting systems.
Following Microsoft’s decision to block macros in Office documents downloaded from the internet by default, Emotet altered its tactics and began utilizing Microsoft OneNote files that contain embedded scripts to distribute and install the Emotet malware. Upon successful installation, Emotet has the ability to pilfer victims’ email addresses for future reply-chain attacks, send out more spam emails, and even deploy additional malware in the fake IRS W-9 that can offer initial entry points to other malicious actors like ransomware gangs.
Emotet prepares for the U.S. tax season targeting users with fake IRS W-9 tax form attachments
Themed phishing campaigns are frequently employed by Emotet to coincide with special events and annual business activities, including the ongoing U.S. tax season. Recently, security researchers at Malwarebytes and Palo Alto Networks Unit42 have observed new phishing campaigns launched by Emotet, targeting users with fake W-9 tax form attachments.
In one such campaign, observed by Malwarebytes, the threat actors send emails with the subject ‘IRS Tax Forms W-9,’ pretending to be an ‘Inspector’ from the Internal Revenue Service. The phishing emails are equipped with a compressed ZIP file labeled ‘W-9 form.zip’ that comprises a Word document embedded with malware. To evade detection by security software, the size of this malicious Word document has been artificially inflated to over 500MB.
Since Microsoft has started to block macros by default, users are less inclined to enable macros and consequently, are less susceptible to being infected via malicious Word documents. Brad Duncan from Unit42 has detected a phishing campaign that circumvents these safeguards by utilizing Microsoft OneNote files that contain embedded VBScript files to deploy the Emotet malware.
This phishing campaign comprises reply-chain emails impersonating business partners who claim to be sending W-9 Forms
The attached OneNote documents may appear to be protected, prompting users to double-click the ‘View’ button for proper viewing. However, concealed beneath this button is a VBScript document that will be executed instead. Upon launching the embedded VBScript file, Microsoft OneNote will display a warning message to the user, indicating that the file may be malicious. Regrettably, many users have disregarded these warnings in the past and proceeded with running the files.
Once executed, the VBScript will initiate the download of the Emotet DLL and execute it with the help of regsvr32.exe. The malware will now operate inconspicuously in the background, surreptitiously collecting emails and contacts while waiting for additional payloads to install on the device.
In the event that you receive any emails purporting to be W-9 or other tax forms, it is recommended that you initially scan the documents using your local antivirus software. Nonetheless, it is not advisable to upload these forms to cloud-based scanning services like VirusTotal due to the sensitive nature of their content. Typically, tax forms are disseminated as PDF documents and not as Word attachments. Therefore, it is advisable to abstain from opening such attachments and enabling macros if you receive them.
As always, the most effective defense is to delete any emails originating from unknown senders. If you do recognize the sender, it is prudent to contact them via phone first to verify if they indeed sent the email.
