Emotet malware, a notorious infection distributed through phishing emails, is targeting US taxpayers through a new phishing campaign. The campaign is impersonating W-9 tax forms allegedly sent by the Internal Revenue Service (IRS) and companies the target works with. The campaign coincides with the current US tax season.
Security researchers at Malwarebytes and Palo Alto Networks Unit42 have discovered the new phishing campaign. The campaign uses themed phishing emails to lure users into opening malicious attachments. The emails contain fake W-9 tax form attachments, and the subject line reads “IRS Tax Forms W-9.” The phishing emails contain a ZIP archive named “W-9 form.zip” that contains a malicious Word document.
New tactics used by Emotet to install malware
In the past, Emotet malware was distributed through phishing emails. It contains Microsoft Word and Excel documents with malicious macros that install the malware. However, Microsoft began blocking macros by default in downloaded Office documents. It forces Emotet to switch to using Microsoft OneNote files with embedded scripts to install the malware. The new phishing campaign uses this new tactic, and the OneNote documents contain VBScript files that install the Emotet malware.
The OneNote documents contain reply-chain emails that impersonate business partners sending W-9 Forms. The attached OneNote documents pretend to be protected and request that the user double-click the “View” button to see the document correctly. However, hidden underneath that view button is a VBScript document that will be launched instead. When launching the embedded VBScript file, Microsoft OneNote will warn the user that the file may be malicious. However, users often ignore these warnings and allow the files to run. Once executed, the VBScript downloads the Emotet DLL and runs it using regsvr32.exe.
Emotet malware’s capabilities
Once the Emotet malware is on a victim’s computer, it will steal the victim’s emails and contacts. It is to use in future reply-chain attacks. Also, send further spam emails and install other malware. It provides initial access to threat actors, such as ransomware gangs.
Protecting yourself from the Emotet phishing campaign
If you receive any emails claiming to be W-9 or other tax forms, the first step is to scan the documents. Do with your local antivirus software. However, due to the sensitive nature of these forms. It is not suggested that you upload them to cloud-based scanning services like VirusTotal. Tax forms are usually distributed as PDF documents and not as Word attachments. If you receive a document that claims to be a tax form in any other format, avoid opening it. Enable macros. If you receive an email containing a OneNote document claiming to be a tax form, immediately delete the email and do not open it.
The best way to protect yourself from phishing campaigns is to discard any email from people you do not know. If you do know the sender, contact them by phone first to confirm if they sent it. Additionally, be cautious when downloading attachments or clicking on links, even if they appear to be from a legitimate source.