Emotet's tax-season phishing is back with new tricks

Written by
Mar 16, 2022 | CYBERSCOOP

IRS-themed phishing campaigns are reliable signs of spring, so the question each year becomes, “What’s new?”

Researchers at Cofense are answering the question with evidence that the operators behind the Emotet malware “have upped their game” for this tax season. The cybersecurity company points to sham emails that are intended to look more convincing and pull more tricks than similar campaigns in previous years.

Cofense says the group’s malicious messages now include the IRS logo; make specific mention of the organization that employs the targeted people; and include a password that works to open a file archived attached to the email.

What seems like a convenient nudge to open and save a W-9 form actually results in Emotet propagating itself on the recipient’s system: “When the Office-macro-laden spreadsheets enclosed in the password-protected archives are opened, they request that macros be enabled. If macros are enabled, Emotet .dll files are delivered to the victim’s computer,” Cofense says.

Emotet’s first goal is to propagate itself as a botnet, which can then be used for other malicious activities. Researchers from Lumen’s Black Lotus Labs noted earlier this month that at least 130,000

Read More: https://www.cyberscoop.com/cofense-emotet-irs-phishing/