A new phishing campaign has been detected targeting U.S. taxpayers offering fake tax refunds. The emails spoof the Internal Revenue Service (IRS) and claim that the recipient is entitled to claim a tax refund.
The emails include a “Login Right here” button for users to click to arrange their tax refund together with a one-time password. If the button is clicked, the user will be directed to a spoofed IRS login page where the password must be entered. The user the then asked to download a document which needs to be printed, signed, and returned to the IRS, which is needed for the refund to be processed.
The document is included in a zip file – called document.zip – that includes a highly obfuscated and encrypted Visual Basic script, which drops an executable file called ZjOexiPr.exe into the C:\Users\Byte\AppData\Local\Temp\ folder.
That executable installs another executable called kntd.exe in the C:\ProgramData\0fa42aa593 folder. That second executable then downloads the Amadey botnet – a relatively new and flexible botnet that first appeared in early 2019.
If the botnet is installed, the attacker can take full control of an infected device. Persistence is achieved via a key that is added to the Startup registry.
The campaign was identified by researchers at Cofense who have observed the botnet being used for DDoS attacks, logging keystrokes and stealing login credentials. The botnet is also being used to deliver the FlawedAmmy RAT and a ransomware payload.
The email is poorly written and includes no IRS logos, which should tip off security conscious employees that all is not as it seems. Further, if the hyperlink is checked, the user will see that it does not link to an IRS domain and the URL of the website does not start with https. It will also be labeled as not secure by the browser.
However, even these warning signs may be missed by some individuals and the offer of a refund may be enough to entice the user to download the form and unwittingly install the botnet.