A new phishing campaign is using Emotet malware to target U.S. taxpayers by impersonating W-9 tax forms that were allegedly sent by the Internal Revenue Service (IRS) and companies people work with.
Emotet is a notorious malware infection that is usually distributed through phishing emails containing Microsoft Word and Excel documents with malicious macros that install the malware.
However, after Microsoft began blocking macros by default, Emotet switched to using Microsoft OneNote files with embedded scripts to install the malware. Once installed, Emotet can steal victim’s emails, send spam emails, and install other malware that provide initial access to other threat actors, such as ransomware gangs.
The phishing campaign seen by Malwarebytes and Palo Alto Networks Unit42 sends emails with a ZIP archive named ‘W-9 form.zip’ that contains a malicious Word document inflated to over 500MB to make it harder for security software to detect it as malicious.
The new phishing campaign is part of a series of themed phishing campaigns launched by Emotet to coincide with holidays and yearly business activities, such as the current U.S. tax season.
The emails contain a fake W-9 tax form attachment, and the threat actors impersonate an ‘Inspector’ from the IRS. In one phishing campaign seen by Brad Duncan of Unit42, the threat actors bypassed Microsoft’s blocking of macros by using Microsoft OneNote documents with embedded VBScript files that install the Emotet malware. The emails contain reply-chain emails pretending to be from business partners sending W-9 Forms, and the attached OneNote documents will pretend to be protected, requesting that users double-click the ‘View’ button to see the document correctly.
However, hidden underneath that View button is a VBScript document that will be launched instead.
Users are advised not to open any emails claiming to be W-9 or other tax forms, to scan any documents with local antivirus software before opening them, and to delete any emails containing OneNote documents immediately.
Since tax forms are usually distributed as PDF documents and not as Word attachments, people should avoid opening them and enabling macros. It is also doubtful that tax forms would ever be sent as OneNote documents.
The best line of defense is to discard any email from people you do not know, and if you do know them, contact them by phone first to confirm if they sent it.
