IRS-Themed Spam Delivers Ransomware

Written by

The US tax season is about to begin, and right on cue, a new IRS spam campaign has bubbled up in email boxes.

The emails claim to be refund notifications from the IRS. But they include a .zip attachment that, when opened, will deliver a mix of payloads. The primary baddie seems to be the multifaced Trojan Kovter, and the secondary one is CoreBOT—not exactly good tidings from the tax man.

“Who wouldn’t want to know if they’re really getting a tax refund from the IRS?” said researchers at Heimdal Security, who first noticed the campaign. “But don’t let your curiosity get the best of you: Not only is it a fake email, but it also carries plenty of danger within.”

Kovter carries out click-fraud operations and delivers malware on the PCs it infects. But, earlier this year, Kovter was seen incorporating new cloaking tricks in order to evade detection. Its core assets: the ability to remain hidden and to persist for a longer period in the memory of the compromised machines.

“When the new Kovter variant compromises a computer, the Trojan has the ability to reside only in the registry and not maintain a presence on disk,” Symantec researchers explained at the time, in a blog. “It accomplishes this by using registry tricks in an attempt to evade detection. The threat is also memory resident and uses the registry as a persistence mechanism to ensure it is loaded into memory when the infected computer starts up.”

In this case, Kovter delivers a ransomware strain. It does so not by copying malicious files to the machine, but by using PowerShell to run the commands, which, in reality, are the payload.

CoreBOT meanwhile is a type of modular malware that allows cyber criminals to build upon it. It has evolved from data-stealing malware to financial malware this year.

“CoreBot differs from standard malware as the code allows the bolt-on of additional mechanisms, ranging from endpoint control and data theft modules to fresh exploits taking advantage of zero-day vulnerabilities,” Heimdal researchers said.

If an unsuspecting user opens the attachment—and ignores several warnings—then the code will run on the machine with the privileges of the logged-in user.

“This type of behavior was observed and announced countless times when detecting infections that are not as easily spotted by traditional antivirus products,” the researchers concluded. “Antivirus detection is very low [for this threat].”

Email users should be wary as always of any unsolicited mail, especially those containing attachments and links.

Photo © Claudio Divizia

What’s hot on Infosecurity Magazine?