Research

Your Tax Refund with a Data Kidnapping Twist!

Last-minute tax declarations lead to IRS-themed Ransomware

Oh, how procrastination gets all of us! April 15th is the U.S. tax deadline and it looks like most of us will be coming down to the wire on declaring our taxes and holding our collective breath in expectation of that sweet, sweet refund. Sadly, our malware writing friends are aware of this and their discipline has proven far superior. Knowing that many are on the lookout for emails from the Internal Revenue Service concerning pending refunds, criminals have crafted some of their own:

Tax_Refund_1

The attachment is actually a Trojan-Downloader.MsWord.Agent malware, built by the same group behind the recent LogMeIn malicious campaign described here.

The infection scheme is very similar to the aforementioned, however, the threat actor has moved on from abusing Pastebin entries and has instead hacked a Web server in China to host the instructions script file. This file as well as the download URL are also encoded in Base64 and the resulting payload is actually ransomware.

Tax_Refund_2

URLs embedded in the malicious macros leading to a Base64 encoded instructions script file and the payload URL below

Tax_Refund_3

Instructions files with the URL to the ransomware payload

The malicious ransomware payload is detected by Kaspersky Anti-Virus as Trojan-Ransom.Win32.Foreign.mfbg

Due to the reliance on the IRS branding, this particular malicious campaign is mostly focused on US citizens and permanent residents of the USA.

Your Tax Refund with a Data Kidnapping Twist!

Comment

Your email address will not be published. Required fields are marked *

 

Cancel

  1. Don Moore

    Hello Dmitry.. I know you were trying to protect information in this article from getting out (by blocking out part of a URL in the code dump screen in your article). I want to let you know that I was able to decode it anyway because the hex code was still readable. Don’t worry sir – I will not use the information – I am just letting you know. There are still ‘old school-ers’ out there that still know a thing or two about deciphering what looks to others to be gibberish.

    Regards.

    Don

Reports

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox