Emotet phishing campaign masquerading as W-9 tax form

In short: The infamous Emotet botnet is once again using ingenious tactics to spread infection and turn users’ computers into malware-spreading zombies. A new phishing campaign coincides with the upcoming US tax season as it attempts to lure users into opening a fake document to install malware.

One of the most widespread infections in recent years, Emotet is a dangerous botnet operation designed to steal user information while spreading third-party malware. Malware typically tries to compromise the victim’s computer with a well-orchestrated phishing campaign, delivering seemingly legitimate emails with malicious attachments disguised as Office documents.

The latest phishing campaign aims to spread fake Form W-9 applications, just in time for tax day when income tax returns are due to be submitted to the IRS. The malicious email appears to have been sent by the IRS and private companies, and the attached Zip file contains a Word document enlarged to over 500 megabytes.

Since no legitimate Word document can reach this size, the attachment is clearly a fake. In addition, the malicious nature of the document completely exposed when the user tries to open it but Word says it has blocked macros from running on the system.

Microsoft is now blocking macros by default as the technology is widely used by both Emotet and other malware campaigns targeting Windows PCs.

According to Intel Unit 42 researchers, Emotet trying to bypass Word’s default macro blocking mechanism, which should deter even the most forgetful user, by sending OneNote attachments instead. Once opened, the document says it is “protected” and the user must double-click the “View” button to open it.

However, the View button is just a façade because a double-click is required to run the Visual Basic script embedded in it. Once executed, the script will download and install the Emotet DLL payload using the legal system tool regsvr32.exe. OneNote will display a warning about the potentially malicious nature of the VB script. Needless to say, many oblivious users will happily ignore said warning and run the script anyway.

Once launched, the Emotet malicious library is designed to run silently in the background and steal email addresses, contacts, and other payloads. The malware will then wait for further instructions from the command and control center, which in the case of Emotet usually means downloading and running additional or third-party malware samples.

W-9 and other tax form attachments usually come in PDF format, so users should avoid opening Word, OneNote, or other types of documents unless they are 100% sure the message is legitimate.