The Emotet malware gang seems to be having quite the return following their three-month hiatus. Not only did the group come up with new evasion techniques, but they’re also running a new phishing campaign targeting US citizens by impersonating W-9 tax forms that seem to be coming from the Internal Revenue Service (IRS) or the victim’s workplace.
These new campaigns were discovered by researchers at Malwarebytes and Palo Alto Networks Unit42. The campaign seen by Malwarebytes involves a phishing email that’s impersonating an IRS inspector sending emails with a ZIP file allegedly containing the W-9 tax form. These ZIP files contain Word documents and are inflated to over 500MB to make it harder for security systems to scan them for malware.
In a similar fashion, the campaign seen by Unit 42 includes attached OneNote documents with embedded VBScript files that install the Emotet payload. This specific campaign uses reply-chain emails impersonating business partners.
These are all tricks we’ve previously seen Emotet use. Since Microsoft has disabled macros by default in Office applications since 2022, the group has had to resort to social engineering and other new tactics to trick users into enabling macros before they can be infected. In this case, the attached OneNote or Word document pretends to be protected asking users to double-click a certain button to see the document.
However. double-click the button launches a VBScript instead that downloads the Emtotet DLL payload and runs it using regsvr32.exe. Once executed, the malware can run in the background stealing emails and contacts while also potentially deploying other payloads on the infected machine.
OneNote does warn users that the file may be malicious when a VBScript is launched. However, most users tend to ignore these warnings, simply allowing the files to run. Additionally, tax forms are generally distributed as PDF documents instead of Word or OneNote attachments.
In the News: A Redis bug briefly exposed ChatGPT customer data