A novel Emotet phishing attack pretends to be W-9 tax forms delivered by employers and the Internal Revenue Service to target American taxpayers. A well-known malware outbreak called Emotet was previously delivered by phishing emails that included Microsoft Word and Excel documents with malicious macros that installed the malware. Emotet moved to exploit Microsoft OneNote files with embedded scripts to install the Emotet malware when Microsoft started by default banning macros in downloaded Office documents.
After being installed, Emotet will send more spam emails, harvest victims’ emails for use in future reply-chain assaults, and eventually install more malware to provide other threat actors, such as ransomware gangs, initial access. Themed phishing attacks are frequently used by the Emotet malware operations to coincide with special occasions and recurring business events, like the current tax season in the United States.
Security researchers at Malwarebytes and Palo Alto Networks Unit 42 saw the latest phishing attempts in which the Emotet malware targets users with emails including phony W-9 tax form attachments. The threat actors in the campaign that Malwarebytes saw sent emails with the subject line “IRS Tax Forms W-9” while posing as an “Inspector” from the Internal Revenue Service. The malicious Word document is contained in a ZIP package with the name “W-9 form.zip” which is part of these phishing emails. Its size has been increased to almost 500MB to make it more difficult for security tools to identify this Word document as malicious. However, users are less likely to go to the trouble of enabling the macros and get infected via fraudulent Word documents now that Microsoft is banning macros by default.
The threat actors use Microsoft OneNote documents with embedded VBScript files to deploy the Emotet malware in a phishing campaign Brad Duncan of Unit42 observed. This phishing effort sends W-9 Forms using reply-chain emails that claim to be from business partners. The OneNote attachments will act as though they are protected and ask the user to double-click the “See” button to view them properly. However, a VBScript document will be opened in its place because it is concealed behind that View button.
Microsoft OneNote will alert the user when the embedded VBScript file is launched that it could be harmful. Unfortunately, history has taught us that a lot of consumers simply let the files execute without paying attention to these warnings. When the VBScript is launched, regsvr32.exe will download and launch the Emotet DLL. The malware will now harvest emails and contacts while waiting for new payloads to install on the device. It will do this covertly in the background. If you ever get emails purporting to be W-9 or other tax forms, make sure to run the attachments via your local antivirus program first. However, it is not advised that you upload these to cloud-based scanning services like VirusTotal owing to the sensitive nature of these forms.
If you get a Word attachment of tax forms – which are often issued as PDF documents instead of Word attachments – avoid opening them and turning on macros. Finally, it is unlikely that tax forms would ever be transmitted as OneNote documents, so if you receive an email that looks like this, delete it right away and do not read it. The best course of action is, as usual, to delete any emails you receive from persons you do not know. If you do know them, you should first call them to check that they sent the email.