Tax Season Sees IRS Tax Refund Spam Resurface

In the United States, tax season kicks off on January 1 and Americans must submit their annual tax returns before the April 15, deadline. As is usual at this time of year, new IRS tax refund spam email campaigns have been initiated by hackers.

During the first three months of the year employees must obtain their tax documents from their employers and collect and collate all paperwork linked to their earnings over the year. Many hate having to pay out thousands of dollars in tax, but for some there is some good news.

The IRS has been sharing emails to millions of Americans telling them that their previous tax returns have been reviewed and they are due for a tax refund. The alerts have arrived by email and details of the refund are included in an email attachment. All the recipient needs to do is click on the attached file to see how much money they are due to have refunded.

Sadly the email notifications are bogus and have not been transmitted from the IRS. This is just the most recent IRS tax refund spam campaign to be launched by Hackers. The IRS tax refund spam email includes a zip file, but instead of details of a refund, the file has a rather nasty selection of malware and ransomware. Worse again, the batch of malware is complex and capable of evading detection. The malware stays in the memory of the device used to open the email attachment. The mail recipient is unlikely to see that their device has been infected until it is too late to do anything.

If anti-spam solutions have been downloaded the IRS tax refund spam emails should be noticed and quarantined. Even if  this is not the case, some users will have to try hard to infect their devices. If security software has been downloaded on the device, opening the attachment should result in warnings being sent. The user will need to ignore those warnings before proceeding. Many do exactly this. The attraction of a tax refund after overspending at Christmas is too difficult to turn down.

For many users the most recent strains of malware included in the zip file will not set off AV engines and even some anti-malware software programs will not label the files as being malicious. The threat to businesses is therefore significant. If the attachment is opened and turned on, the malware will be installed and granted the same network and device privileges as the user.

IRS tax refund spam includes CoreBot and the Kovter Trojan

Clicking on the the email attachment will deliver the most recent strain of the Kovter Trojan. Kovter is not downloaded to the computer’s hard drive as commonly happen with malware. This makes it much more difficult to see. Instead, malicious code is run with the malware living in the memory. Memory resident malware does not tend to persist. Once the infected computer is rebooted, the malware doesn’t reload. However, in the case of Kovter it does. Kovter is reloaded using the registry each and every time the computer is turned on Kovter is fileless malware that runs commands through Powershell in a similar fashion to Poweliks. If a computer does not have Powershell downloaded, the user is not safeguarded. Kovter will just download it and install it on the workstation.

Kovter was first identified two years ago, but it has since evolved to avoid detection. In addition to being used to deliver ransomware, which locks the computer until a ransom is transferred, it is also being used to perform click-fraud and generate revenue for the hackers via CPC campaigns.

Kovter is known to be deployed using an affiliate network. Any person who signs up is paid based on the number of devices they are able to infect.Hackers have been spreading infections via a range of exploit kits such as Angler, Neutrino, and Fiesta. The IRS tax refund spam attack is a new manners for hackers to installs malware on devices.

The zip file also downloads CoreBot; a particularly nasty malware that poses even bigger issues for companies. If staff are tricked by the IRS tax refund spam and open the zip file, CoreBot can prove particularly problematic to discover, and can potentially cause a lot more hurt. CoreBot is a modular malware that can have extra functions added by hackers as and when they desire. Prior to now it has been used as a data stealer, although recently it has been deployed inr man-in-the-middle-attacks on financial applications and web services. The malware can obtain banking credentials and login information. It can also be used to exploit new zero-day flaws.

IT security experts should be wary and should alert their company’s workers of the tax refund spam, and instruct them not to open any zip file attachments, or any email attachments that have been shared  to them from unknown senders. The IRS will not notify individuals of a tax refund in this way. Any IRS email with a file attachment is likely to be spam and include malware.

Link copied to clipboard
Photo of author

Posted by

Elizabeth Hernandez

Elizabeth Hernandez is a news writer on Defensorum. Elizabeth is an experienced journalist who has worked on many publications for several years. Elizabeth writers about compliance and the related areas of IT security breaches. Elizabeth's has a focus data privacy and secure handling of personal information. Elizabeth has a postgraduate degree in journalism. Elizabeth Hernandez is the editor of HIPAAZone. https://twitter.com/ElizabethHzone