FortiGuard Labs Threat Research
Malicious email and phishing scams are usually topical and follow a pattern of current events, and they typically are crafted around calendar and/or trending issues as attackers realize that victims are interested in all things relevant to the moment. Threat actors are aware that not all recipients will bite, but some will, hence the origin of the term “phishing.”
Threat actors often put in the least amount of work possible for a maximum return, sending out phishing emails to thousands of targets. Even if less than one percent of victims respond, the return on investment is still significant due to the gain of personally identifiable information (PII) and/or establishing a foothold within an organization using stolen credentials, malware, or other means.
This blog highlights some examples we’ve encountered that may help users better spot suspicious emails. Recent examples observed by FortiGuard Labs include emails related to tax season and the Ukrainian conflict, which reflect the timeliness of current and newsworthy events at the time of writing.
Affected Platforms: Windows
Impacted Users: Windows users
Impact: Compromised machines are under the control of the threat actor. Stolen personally identifiable information (PII), credential theft, monetary loss, etc.
Severity Level: Medium
Tax season comes around annually, like other seasonal events or holidays. Targeting calendar-based events enables threat actors to prepare ahead of time and have a new selection of targets on rotation.
The following set of examples highlights two IRS/tax-themed scams. The first is a malicious email pretending to originate from the U.S. Internal Revenue Service (IRS) containing a maliciously crafted Microsoft Excel file to deliver malware (Emotet). The second is a phishing scam that asks a recipient to send personally identifiable information (PII) via written correspondence to a phone number.
This attack starts with an IRS impersonation email that contains a ZIP attachment called “W-9 form.zip”. The email is sent to the target, and a password is provided within the body of the email for convenient extraction. The zipped attachment contains a file, “W-9 form.XLM.” The XLM extension is simply an Excel file that contains Excel 4.0 macros:
For those not familiar with Form W-9 (Request for Taxpayer Identification Number and Certification), it is used by U.S. individuals to provide a correct taxpayer identification number (TIN) to payers (or brokers) who are required to file information returns with the IRS. Red flags that this is a phishing scam include the non-capitalization of “assistant” and the incorrect usage of “Treasure” instead of “Treasury” in the signature body. It should also be noted that the IRS does not communicate with U.S. taxpayers via email and instead uses the traditional postal service for all communications.
Upon observation, and in a similar fashion to our recent Emotet blog, the XLM file asks the user to enable macros upon opening the file.
The XLM file contains the following obfuscated Excel 4.0 macro:
The document contains five hidden sheets: "Vfrbuk1", "Sheet", "Lefasbor1", "EFALGV", “Je1” and “Je2”. Sheet EFALGV contains the main code, which uses the other sheets to compile commands. It does this without user interaction, performing its behind-the-scenes magic to download a copy of Emotet from multiple remote locations:
Another variation observed was sent to a State Attorney General’s office in the United States. The “From” address is clearly seen in the email. It was sent from an automotive tire shop located in Japan, which is most likely compromised and serves as an open mail relay:
Microsoft announced in January 2022 that Excel 4.0 macros are disabled by default starting in Excel (Build 16.0.14427.10000). The move came as no surprise because the feature is continuously abused by threat actors. Other welcome news from Microsoft is the restricted usage of macros in Access, Excel, PowerPoint, Visio, and Word by default starting in April 2022 via the disablement of VBA macros (also abused by Emotet). Based on the examples shown above, we can see this did not deter the attacker one bit from abusing Excel 4.0 macros.
Also, administrators are able to control the usage of Excel 4.0 macros via group policy settings, as well as cloud and ADMX policies. This feature was introduced in July 2021. For more details, please visit Microsoft’s tech community page - “Restrict usage of Excel 4.0 (XLM) macros with new macro settings control”.
It’s important to note that these potential victims were not targeted. Emotet utilizes what is colloquially known in the industry as a “spray and pray” tactic to spread via malicious email campaigns. Emotet is known to have delivered other malware variants in the past, with the most disruptive being ransomware. Some ransomware as a service (RaaS) groups have specific policies to not deploy ransomware to government sectors, defense industry, and other critical infrastructures (hospitals, etc.). However, actual attacks are often carried out by RaaS affiliates who may or may not abide by the policy set by RaaS groups.
A different scam recently observed is an email with the subject line of: “NEW YEAR-NON-RESIDENT ALIEN TAX EXEMPTION UPDATE.” This example contains an attachment, titled “W8-ENFORM.PDF.” While not malicious, this PDF file is essentially a photocopy of the IRS W-8 form. It is simply the W8 form from the IRS with an appended number added by the bad actors at the end of the document.
Red flags within the body of the email are the improper usage of grammar, typos, and punctuation:
This scam uses social engineering verbiage to target nonresident aliens of the United States based on “official” records discovery. However, in a weird miscue, the email contains a contradictory statement:
“if you are a USA citizen and resident, this W8BEN-FORM is not meant for you…”
The email continues with instructions to reply back and to state on the attached form that the recipient is, indeed, a U.S. citizen/resident. After this step is completed, the bad actor provides a different form to complete.
Once this form is filled out, all PII included on this form appears to be sent to an 806 phone number, which is the area code for the state of Texas. As of the time of writing this number has an active fax service, which most likely is internet-based and can receive the content and distribute as an attachment to the malicious actor anywhere in the world. It is possible, if there are a lot of respondents, they could be using OCR (Optical Image Recognition) image technology to store victim data in a database for later use.
It is important to again note that the IRS does not handle any official correspondence via email. Official W-9 forms are available on the IRS Web page. Official W8 forms can be found here.
Spam commonly uses techniques such as current events (sports, tax season), using money as an incentive to click, playing on our natural greed (tax refunds, free money) and using the threat of running out of time to get us to take immediate action.
In the example below, all three techniques are employed, albeit in a more unusual way – with an impassioned plea to give money to others with the subject line “URGENT RESPONSE REQUIRED! (UKRAINE).”
While the email does not contain a malicious attachment or link, the scammer is asking for a response. This is likely to contain a follow up message for further information. Perhaps the threat actor may engage in dialog with the victim and will ask the victim to send payment via wire transfer, third-party payment processors (such as Venmo, Zelle, etc.), or via cryptocurrency. The email address of the sender uses a gmail.com email address to likely evade spam filters.
The screenshot below highlights a brazenly opportunistic scam with the subject line “URGENT DONATION RESPONSE FOR WAR REFUGEE CAMP IN UKRAINE.” It purports to originate from a trusted organization, The United Nations. Red flags are the forged email address of the UN High Commissioner “info@seca[.]cam” in the “From” line, as well as some grammatical and punctuation errors. Another red flag is that the seca[.]cam domain was only registered a few weeks ago, on February 23, 2022.
Checking the Bitcoin wallet address, we can see that this is an active wallet that had its first transaction on September 29th, 2021. Since the first discovery of the campaign on the 7th of March, several transactions have been made to this wallet. Its current value at time of writing is $46.82 USD, with total transactions valued at $712.79 USD. Assuming that this wallet was used for malicious purposes, it appears that various campaigns have netted the threat actor a modest profit. However, it can also be safely surmised that this might not be the scammers only wallet. As with the IRS, it is also important to mention that the U.N. will never send unsolicited emails for donations. For further details, please reference the U.N. Fraud Alert page.
With the current tragic situation in Ukraine unfolding, internal chatter within ransomware groups have surfaced. Some ransomware groups side with Russia and other groups side with the West. A well-known RaaS group (which used Emotet)—that we will not publicize for obvious reasons—has made a very strong statement that any attacks directed towards Russia will be met with a retaliatory act towards the West.
As the situation is fluid, and with potentially compromised government sectors likely being infected or targeted with ransomware at this very moment either for monetary or political reasons, this threat is not out of the question. The point is that important sectors such as government agencies are no longer exempt from attacks, especially from Emotet threat actors, regardless of bias or opinion.
Phishing scams aren’t going anywhere. They are a part of the threat landscape and will likely always be a component of an attackers’ arsenal. This is because the return on investment for an attacker is very high. A crafted email containing specific language designed to trick users into opening an attachment, following a link, responding with confidential or sensitive information, etc. will always work on a percentage of targets. This is because of the one major weakness security software cannot address: the human element.
Training programs constantly remind and teach users how to spot malicious email/phishing/spearphishing scams for a good reason. Out of thousands of recipients, it only takes a few to respond to make it all worthwhile to an attacker. And when the right person falls prey it can unleash a trove of information to the attacker that can be exploited for various purposes. Although such scams are well known and publicized, they are still pervasive for one simple fact—they work and will continue to work for the foreseeable future.
Threat actors are playing the numbers game. If they spam out 1,000 emails at a very minimal cost, and 10 people bite giving them valuable data, then the effort spent was well worth the return on investment.
Fortinet customers are protected from this campaign by FortiGuard Web Filtering, AntiVirus, FortiMail, FortiClient, FortiEDR, and CDR (content disarm and reconstruction) services, as follows:
The malicious macro inside the Excel sample (Emotet) can be disarmed by the FortiGuard CDR (content disarm and reconstruction) service.
FortiEDR detects both the Excel file and Emotet-related files as malicious based on behavior.
All relevant URIs to campaigns mentioned in the blog are blocked by the FortiGuard Web Filtering service.
The malicious Excel sample and associated downloaded files are detected as:
“XML/Dloader.802!tr, “W32/Emotet.C!tr", “W32/Emotet.CV!tr”, and “W32/Emotet.1150!tr” are blocked by the FortiGuard AntiVirus service.
The IRS phishing email targeting nonresident aliens is detected as:
URGENT RESPONSE REQUIRED! (UKRAINE) campaign
Is classified as a spam server and is blocked by our Web Filtering client.
URGENT DONATION RESPONSE FOR WAR REFUGEE CAMP IN UKRAINE campaign
is classified as a spam sender and is blocked by the Web Filtering client.
Fortinet has multiple solutions designed to help train users to understand and detect phishing threats:
The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.
In addition to these protections, we suggest that organizations also have their end users go through our FREE NSE training: NSE 1 – Information Security Awareness. It includes a module on Internet threats that is designed to help end users learn how to identify and protect themselves from various types of phishing attacks.
Many thanks to Fred Gutierrez and Geri Revay for their contributions to this blog.
Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.