The Tax The US holiday season is upon us, which only means one thing – hackers will impersonate the Internal Revenue Service (IRS) to steal money and sensitive information from businesses of all kinds. and scale.
Cybersecurity researchers from two companies – Palo Alto Networks and Malwarebytes have discovered two malicious codes. Cheat campaigns do exactly that, but take a slightly different approach.
In one campaign, attackers would impersonate the IRS and share fake W-9s tax form (opens in a new tab) via email. The real form of fax is Emotet malware, potentially stealing sensitive data from infected endpoints and using that data for further self-distribution. Emotet can also act as a drip tool, allowing threat actors to distribute different types of malware, including ransomware.
Word and OneNote files
In this campaign, attackers will send a Word document containing malware, which is increased to 500MB+ to avoid activation. virus removal programs. However, since Microsoft has blocked macros from Office files downloaded from the internet, this campaign will most likely fail.
The second campaign is different in that instead of Word files, these attackers are distributing OneNote files with malicious add-ons.
These are not yet completely blocked when downloading from the internet, so the success rate will probably be a bit higher. In this campaign, the attackers will share a “protected” (apparently obscured) Notebook (onenote file) and ask the user to click “Unlock” or “View” or a call to same call to action. However, what they will actually do is enable the add-on, which will download the Emotet malware.
The second major difference is that these files will not come from the fake IRS but from partners, customers, or fake businesses the victim is involved with.
Usually, tax forms are distributed as .PDF files rather than .DOCX files, which is probably the best way to detect a cyber attack. Furthermore, OneNote isn’t exactly the most popular productivity tool out there, so getting a NoteBook file should be a warning sign in the first place.
Through: BleepingComputer (opens in a new tab)
