Threat Management, Incident Response, TDR

Scam IRS emails deliver malware payload

Just in time for tax season in the U.S., scammers are once again using fake emails from the Internal Revenue Service (IRS) to launch attacks. The latest phishing campaign, discovered by researchers at Heimdal Security, claims to inform recipients of a refund notification from the IRS.

According to a blog post by the research team at Heimdal Security, the emails deliver a very different kind of payload: an attachment that activates Windows PowerShell to download Kovter and CoreBot.

The spam email appears to be sent from the IRS and contains a subject line that reads: “Payment for tax refund # 00 [6 random numbers]” and contains a zip attachment that reads as: Tax_Refund_00654767.zip -> Tax_Refund_00654767.doc.js.

“If an unsuspecting user opens the attachment – and ignores several warnings – then the code will run on the machine with the privileges of the logged in user,” Andra Zaharia wrote on the Heimdal blog. “If you're using your admin account on a daily basis, this may prompt you to reconsider.”

IRS spam emails are a popular method of attaining information from targets. Fake IRS email campaigns have used varied methods such as including links to web pages that download malware, emails that claim to contain stimulus payment information, and spear phishing emails that targeted corporate executives.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.