The advocacy group Abuse.ch has found a Covid-19-related malspam campaign that impersonates the U.S. Treasury Department and more than likely looks to steal a taxpayer’s credentials using a remote access trojan.
In a recent Twitter post, the group shows a fraudulent letter from the Treasury Department that seeks to get the taxpayer to contact Treasury and update their personal information in exchange for a payment that was being held up in their name.
The email, which has a subject line of U.S. DEPT. OF TREASURY/PAYMENT and a CONTRACT PAYMENT.zip attachment, says that the funds will go to Covid-19 relief efforts if the victim does not contact Treasury by May 30.
In its tweet Abuse.ch tentatively identified the malware as the Adwind RAT, but researchers at MalwareHunterTeam replied that it is actually a new Node.js malware-based remote access trojan that it discovered. This malware, called QNodeService, was analyzed by researchers at TrendMicro.
However, PCrisk, in its own separate post last week, detailed a similar-sounding spam campaign impersonating the Treasury Department that it says did distribute Adwind. This report said that the malware housed in weaponized attachments can access saved passwords, microphones and webcams, and can log keystrokes.
The post says typically, cybercriminals use Adwind to steal login credentials, credit card details and/or some other sensitive information that could be misused to steal accounts, identities, make fraudulent purchases, transactions or generate revenue in other ways. Consumers who are tricked into installing Adwind may potentially become victims of identity theft, lose access to personal accounts, suffer monetary loss, experience serious problems related to online privacy. Because of the risks, PCriskstrongly recommends not to take such emails seriously and not to open any suspicious-looking files that promise unexpected payments.