A man staring at a tax form.

Emotet Malware Spreading using Fake W-9 Tax Forms

Emotet Malware is currently focusing on American taxpayers through a unique phishing attack, claiming to be W-9 tax forms sent by the Internal Revenue Service and the companies individuals work with.

Emotet is a well-known malware that spreads through phishing emails, initially utilising malicious macros in Microsoft Word and Excel documents. Emotet malware, which is said to have developed in Ukraine around 2014, is one of the most serious types of malware at the moment.

Microsoft began preventing macros from executing automatically in downloaded Office documents. Emotet has changed its approach and now employs Microsoft OneNote files containing embedded scripts to install the Emotet malware.

Once successfully installed, Emotet malware will steal its victims’ emails and exploit them in further reply-chain attacks. The malware delivers more spam emails and can eventually deploy additional software to provide access to other hostile groups, such as ransomware gangs.

Emotet’s Tax Season Attack Technique

Phishing campaigns used by Emotet malware operations typically have a seasonal or annual business theme, such as the current tax season in the United States.

New phishing operations by the Emotet malware have been observed by security researchers at Malwarebytes and Palo Alto Networks Unit 42. These attacks target victims through emails with fake attachments of W-9 tax forms.

Form W-9 is a document that you complete to verify specific personal details with the IRS. These forms usually require you to provide details such as your name, address, and Tax Identification Number.

Malwarebytes observed a campaign in which the cybercriminals send emails with the subject line ‘IRS Tax Forms W-9.’ They pretend to be an ‘Investigator’ from the Internal Revenue Service in these phishing emails.

The “W-9 form.zip” ZIP file in these emails contains a malicious Word document. To make it more difficult for security tools to recognise the Word document as malicious, its size has been raised to almost 550MB.

IRS Phishing Email with Emotet File
IRS Phishing Email with Emotet File (Malwarebytes)

The attachment named W-9 form.zip is approximately 709 KB in size. When the attachment is clicked, the W-9 form.doc Word document is displayed, with a suspiciously large file size of around 548,164 KB (548 MB).

It’s rare for real Word documents to be as large as 500MB or more, and a file of this size could potentially be an indicator of Emotet malware operating in the background.

It is important to understand the risks of macros before opening the document. Microsoft now disables macros by default, reducing the likelihood of users enabling them and falling victim to malware via malicious Word documents. As a result, cybercriminals will use every possible trick to get you to activate macros.

Malicious Word Document Infected with Emotet Malware
Malicious Word Document Infected with Emotet Malware (Malwarebytes)

A phishing campaign that uses Microsoft OneNote pages that include VBScript files to install the Emotet virus has been discovered by Brad Duncan from Unit42. The effort provides fake W-9 Forms and impersonates business partners using reply-chain emails.

OneNote documents that are connected will appear to be protected. It will request a second click on the “View” button so you can view the document in its proper format.

Phishing with Malicious OneNote File Posing as W-9 Form
Phishing with Malicious OneNote File Posing as W-9 Form

Microsoft OneNote will warn users of the potential maliciousness of the embedded VBScript file upon launching. After execution, the VBScript will download the Emotet DLL and use regsvr32.exe to run it.

The malware will then execute silently in the background while waiting for more payloads to install on the device, stealing emails and contacts.

Avoid Falling Prey to Tax Scams

Tax agencies have an established procedure for issuing refunds, which is available on their websites. Refunds are never sent by email, as stated explicitly by HMRC. If you’re unsure, it’s suggested that you directly contact the tax office via telephone to confirm whether what you’ve received is real or fake.

Tax forms are often delivered as PDF files instead of Word attachments. Therefore, it is advised not to turn on macros if you receive a tax form as a Word attachment.

Tax scammers often push their victims into malware installation and data theft. You should be cautious if they claim that you only have 24 or 48 hours to get a refund. As with most tactics of social engineering, it is best to directly contact the tax department for verification.

Avoid tax scams that ask for your bank information and then send you to a phishing page for that particular bank.  It’s always best to visit your banking website directly, as click-throughs and redirects can be a potential risk.

Phishing attacks are on the rise, and it is important to protect your organisation. One effective way to do this is by increasing user awareness about these types of attacks. Phishing Tackle is a great resource that can help you in this regard. They offer a free 14-day trial to help train your users to recognise and avoid phishing attacks.

Recent posts