A newly discovered spyware program that comes disguised as an IRS tax document uses a .VBE file to execute itself, rather than relying on malicious macros.
A newly discovered spyware program that comes disguised as an IRS tax document uses a .VBE file to execute itself, rather than relying on malicious macros.

The only certain things in this world are death, taxes and tax-based cyber scams. Today, IT security company Fortinet has pointed out one of the latest tax scams to befoul the Internet -- this one in the form of a spyware program disguised as an IRS tax return notification.

According to an analysis by Fortinet security researcher Xiaopeng Zhang, the Windows-based malware collects infected victims' system information, takes screenshots and records keystrokes, and then exfiltrates this data over to a command-and-control server. Stolen system information includes the machine's name, user name, system type and system version.

Discovered on April 5, the spyware is in essence a malicious .VBE (VBScript Encoded Script) file whose code is embedded into a jpeg file in order to bypass anti-virus solutions. The .VBE file operates on the Microsoft .Net environment and it is executed without notification by default using the program Wscript.exe or Cscript.exe.

"IRS scams we saw before relied on macro-laden Word documents. When users open them, a warning is usually shown to ask users to enable [the] macro so that the malicious code inside them can be executed," said Zhang, in an exclusive first-run email interview with SC Media. "However, this scam uses a .VBE file which can be executed without any warning when users double-click it. This makes the malware infection more efficient and effective."

According to Zhang, Fortinet may name the spyware SpamUSA because the observed malware sample contains the fixed string "SPAMUSAAAAAAAAA".