Emotet

A new Emotet phishing campaign is targeting U.S. taxpayers by impersonating W-9 tax forms allegedly sent by the Internal Revenue Service and companies you work with.

Emotet is a notorious malware infection distributed through phishing emails that in the past contained Microsoft Word and Excel documents with malicious macros that install the malware.

However, after Microsoft began blocking macros by default in downloaded Office documents, Emotet switched to using Microsoft OneNote files with embedded scripts to install the Emotet malware.

Once Emotet is installed, the malware will steal victims' emails to use in future reply-chain attacks, send further spam emails, and ultimately install other malware that provide initial access to other threat actors, such as ransomware gangs.

Emotet gears up for the US tax season

The Emotet malware operations commonly use themed phishing campaigns to coincide with holidays and yearly business activities, such as the current U.S. tax season.

In new phishing campaigns seen by security researchers at Malwarebytes and Palo Alto Networks Unit42, the Emotet malware targets users with emails containing fake W-9 tax form attachments.

In the campaign seen by Malwarebytes, the threat actors send emails titled 'IRS Tax Forms W-9,' while impersonating an 'Inspector' from the Internal Revenue Service.

These phishing emails contain a ZIP archive named 'W-9 form.zip' that contains a malicious Word document. This Word document has been inflated to over 500MB to make it harder for security software to detect it as malicious.

Emotet email impersonating the IRS
Emotet email impersonating the IRS
Source: Malwarebytes

However, now that Microsoft is blocking macros by default, users are less likely to go through the trouble of enabling the macros and become infected using malicious Word documents.

Emotet Word Document
Emotet Word Document
Source: BleepingComputer

In a phishing campaign seen by Brad Duncan of Unit42, the threat actors bypass these restrictions by using Microsoft OneNote documents with embedded VBScript files that install the Emotet malware.

This phishing campaign uses reply-chain emails containing pretending to be from business partners sending you W-9 Forms, as shown below.

Emotet reply-chain email with malicious Microsoft OneNote attachments
Emotet reply-chain email with malicious Microsoft OneNote attachments
Source: Unit42

The attached OneNote documents will pretend to be protected, requesting that you double-click the 'View' button to see the document correctly. However, hidden underneath that View button is a VBScript document that will be launched instead.

Malicious Microsoft OneNote file impersonating a W-9 form
Malicious Microsoft OneNote file impersonating a W-9 form
Source: BleepingComputer

When launching the embedded VBScript file, Microsoft OneNote will warn the user that the file may be malicious. Unfortunately, history has shown us that many users ignore these warnings and simply allow the files to run.

Once executed, the VBScript will download the Emotet DLL and run it using regsvr32.exe.

The malware will now quietly run in the background, stealing email, contacts, and waiting for further payloads to install on the device.

If you receive any emails claiming to be W-9 or other tax forms, first scan the documents with your local antivirus software. However, due to the sensitive nature of these forms, it is not suggested that you upload them to cloud-based scanning services like VirusTotal.

Normally, tax forms are distributed as PDF documents and not as Word attachments, so if you receive one, you should avoid opening it and enabling macros.

Finally, it is doubtful that tax forms would ever be sent as OneNote documents, so immediately delete the email and do not open it if you receive one.

As always, the best line of defense is to discard any email from people you do not know, and if you do know them, contact them by phone first to confirm if they sent it.

Related Articles:

Hackers abuse Google Cloud Run in massive banking trojan campaign

New Qbot malware variant uses fake Adobe installer popup for evasion

Microsoft Teams phishing pushes DarkGate malware via group chats

PyPI suspends new user registration to block malware campaign

Cisco warns of password-spraying attacks targeting VPN services