Scammers are using fake IRS emails to launch attacks that download Kovter and CoreBot malware.
Scammers are using fake IRS emails to launch attacks that download Kovter and CoreBot malware.

Just in time for tax season in the U.S., scammers are once again using fake emails from the Internal Revenue Service (IRS) to launch attacks. The latest phishing campaign, discovered by researchers at Heimdal Security, claims to inform recipients of a refund notification from the IRS.

According to a blog post by the research team at Heimdal Security, the emails deliver a very different kind of payload: an attachment that activates Windows PowerShell to download Kovter and CoreBot.

The spam email appears to be sent from the IRS and contains a subject line that reads: “Payment for tax refund # 00 [6 random numbers]” and contains a zip attachment that reads as: Tax_Refund_00654767.zip -> Tax_Refund_00654767.doc.js.

“If an unsuspecting user opens the attachment – and ignores several warnings – then the code will run on the machine with the privileges of the logged in user,” Andra Zaharia wrote on the Heimdal blog. “If you're using your admin account on a daily basis, this may prompt you to reconsider.”

IRS spam emails are a popular method of attaining information from targets. Fake IRS email campaigns have used varied methods such as including links to web pages that download malware, emails that claim to contain stimulus payment information, and spear phishing emails that targeted corporate executives.