Threat Research

The Taxman Never Sleeps

By James Slaughter | December 21, 2022

For most people, taxes are a certainty. In the United States and Canada, tax forms are usually submitted by individuals and businesses in the spring (although, due to COVID, extensions were granted for anyone that asked for them). So, our interest was piqued when we came across an e-mail that included a tax form seemingly from the United States Internal Revenue Service (IRS) in early November.

Affected Platforms: Windows
Impacted Users: Windows users
Impact: Potential to deploy additional malware for additional purposes
Severity Level: Medium

The e-mail FortiGuard Labs discovered was, unsurprisingly, malicious. But what was interesting was that it had been sent by the recently resurgent Emotet group. Emotet (aka, Geodo and Heodo) began life as a banking Trojan but has since morphed into a jack-of-all-trades tool that can exploit several vulnerabilities to compromise its victims. Once it has infected a system, it then typically delivers additional payloads. And because it’s modular, it is easily customizable by its users. This flexibility and resiliency are part of why Emotet has managed to survive at least one coordinated industry/law enforcement takedown in 2021.

The phishing e-mail

Although claiming to be from “IRS.gov,” this phishing e-mail originated from an organization’s compromised e-mail account in Pakistan. The subject and body claim that the recipient’s IRS K-1 forms are attached in a Zip archive encrypted with the password “0440”.

Schedule K-1 is a US federal tax document that reports income, losses, and dividends for a business or financial entity's partners or an S corporation's shareholders to the IRS. Because the content from these forms must be added to an individual’s annual tax form, they must be submitted one month prior (March 15) to the individual income tax submission deadline of April 15. This is why seeing a Schedule K-1 form attached to an email on November 8th was a red flag.

 

Figure 1. Phishing e-mail.

A Zip archive, “K-1 form.zip”, and an image of the IRS logo are attached to the email.

K-1 form.zip

Figure 2. Encrypted and password-protected Zip archive.

This “K-1 form.zip” file is an encrypted Zip archive that requires a password to unpack. Its password, “0440”, is included in the body of the e-mail. It allows the “K-1 form.xls” to be opened.

K-1 form.xls

Once opened, the file is an Excel spreadsheet with an interesting banner. It exhorts the user “in accordance with the requirements of your security policy” to copy the file into the “Templates” directory of whichever version of Microsoft Office is being used and then relaunching the file.

Figure 3. K-1 form.xls as it appears to the user.

The file has several worksheets (seven in total). Six of those sheets are protected, so they can’t be changed, and the user cannot view their contents directly.

As you might suspect, this spreadsheet includes a malicious Excel 4.0 macro. An entry in “Manage Names”—“Excel_BuiltIn_Auto_Open”—is set to execute a command in a cell in the only sheet in the workbook that isn’t protected.

Figure 4. Auto-open settings for the spreadsheet.

A deeper look at Sheet6 shows that column “G” has been hidden.

Figure 5. Columns E, F, and H, with column G hidden

Python scripting reveals more information about how this malicious file functions.

Figure 6. Details of the K1 form.xls hidden from view.

Using the Python library “openpyxl”, we could view details hidden in each of the worksheets. As shown in Figure 6, several rows and columns have hidden content.

For example, by drilling deeper into the data for “Sheet4,” several URL fragments are revealed.

Figure 7. URL fragments in Sheet 4.

Some further scripting helps piece these fragments together.

Figure 8. URL fragments pieced together.

This reveals four possible download locations for the next stage payload.

Figure 9. Possible payload download locations.

Depending on which URL is used, the downloaded payload is saved as oxnv1.ooccxx through oxnv4.oocccxx. It then calls and attempts to launch this payload via “regsvr32.exe” using the command “C:\Windows\System32\regsvr32.exe /S ..\oxnv[n].ooccxx”.

This executable is Emotet.

oxnv[n].ooccxx

The Emotet payload is a Windows Dynamic Link Library (DLL) file. Our analysis shows that it was compiled just before the email for this campaign was sent out.

Figure 10. Emotet file timestamp.

Unusually, this DLL has over 270 export functions! 

Figure 11. A partial list of export functions.

As can be seen in Figure 11, the function names are randomized. The vast majority offer a return to the caller. This appears to be an anti-analysis/anti-debugging method.

Figure 12. Typical export function.
Figure 13. The same function as code.

When executed, “oxnv[n].ooccxx” is copied to a randomly named directory under “C:\Windows\System32” and then renamed to an equally random name. The regsvr32.exe process is restarted to use the renamed file in its new location.

Figure 14. Randomly named directory under “C:\Windows\System32”.
Figure 15. Randomly named DLL inside a randomly named directory.
Figure 16. Process restart.

Once Emotet is up and running, it attempts to contact one of its Command and Control (C2) server nodes. In this case, 20 possible IPs are used (shown in the IOC section below). The malware loops through each sequentially until contact is made. If the attempts are unsuccessful, it pauses and then cycles through again for as long as required.

Conclusion

The spectre of the IRS is not a new phishing lure, especially during tax season. Even though the IRS will never initiate contact with taxpayers by email, few things motivate recipients to act (and, as a result, be less cautious) than thinking the IRS has contacted them. This threat is especially interesting because it was delivered outside the usual time frame for tax-based phishing. It is also a warning that when you receive an unusual email like this, it is best to treat it with caution because Emotet and other similar threat actors will be hoping that fear will cause caution to be abandoned.

Fortinet Protections

Fortinet customers are already protected from this malware through FortiGuard’s Web Filtering, AntiVirus, FortiMail, FortiClient, and FortiEDR services, as follows:

The following (AV) signatures detect the malware samples mentioned in this blog

MSExcel/Agent.DKF!tr.dldr

W32/Emotet.PACA!tr

The WebFiltering client blocks all network-based URIs.

Fortinet has multiple solutions designed to help train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

In addition to these protections, we suggest that organizations have their end users undergo our FREE NSE trainingNSE 1 – Information Security Awareness. It includes a module on Internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks.

IOCs

File-based IOCs:

Filename

SHA256

K-1 form.zip

be2bb6f684cd23a66667a563a78ebfa43de4bb958dc0465a830229a9b927b714

K-1.xls

8c3cfdd7e1e162129eedf2c3d9f6f63c133622bfe5d04bccbd823486a85b69ed

oxnv[n].ooccxx

 

9efdbe83c874a14282b0105fcec8dc46d9ba1de6496f5d570fa14915b8fd3285

Network-based IOCs:

IOC

IOC type

hXXp://www[.]spinbalence[.]com/admin3693/Z6WQpmNRNj6041fU2zpt/

C2

hXXp://kabaruntukrakyat[.]com/wp-content/ES/

C2

hXXps://chobemaster[.]com/INFECTED/LEdXM4gdwN4mgnlC/

C2

hXXp://cngst[.]com/data/fXWpDbJ3KwAybE/

C2

45[.]235[.]8[.]30:8080

C2

94[.]23[.]45[.]86:4143

C2

119[.]59[.]103[.]152:8080

C2

169[.]60[.]181[.]70:8080

C2

164[.]68[.]99[.]3:8080

C2

172[.]105[.]226[.]75:8080

C2

107[.]170[.]39[.]149:8080

C2

206[.]189[.]28[.]199:8080

C2

1[.]234[.]2[.]232:8080

C2

188[.]44[.]20[.]25:443

C2

186[.]194[.]240[.]217:443

C2

103[.]43[.]75[.]120:443

C2

149[.]28[.]143[.]92:443

C2

159[.]89[.]202[.]34:443

C2

209[.]97[.]163[.]214:443

C2

183[.]111[.]227[.]137:8080

C2

129[.]232[.]188[.]93:443

C2

139[.]59[.]126[.]41:443

C2

110[.]232[.]117[.]186:8080

C2

139[.]59[.]56[.]73:8080

C2

 

Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.