A recent Emotet phishing campaign is impersonating W-9 tax paperwork delivered by an employer and/or the IRS in order to target US taxpayers. The well-known piece of malware called Emotet was previously delivered by phishing emails that included Microsoft Word and Excel documents that had malicious macros that deliver the malware. Emotet moved to exploiting Microsoft OneNote files with embedded scripts to install the malware after Microsoft started blocking macros in downloaded Office documents by default. After being installed, Emotet will send spam emails, harvest victim emails for use in future reply-chain attacks, and eventually install more malware to provide other threat actors, such as ransomware gangs, initial access.
The threat actors in the campaign observed by Malwarebytes sent emails with the subject line “IRS Tax Forms W-9” while posing as an “Inspector” from the Internal Revenue Service. The malicious Word document is contained in a ZIP archive attachment with the name “W-9 form.zip”. In order to make it more difficult for security tools to identify this Word document as malicious, its size has been increased to almost 500MB. Eventually, a VBScript downloads the Emotet DLL and executes it using regsvr32.exe, initiating all the malicious functions outlined above.
All emails that appear to be W-9 or tax related forms should be scanned using a reputable antivirus solution prior to being opened. However, it is not advised that these documents be uploaded to cloud-based scanning services like VirusTotal because of the private nature of these forms. Any Microsoft Word attachments that reference tax documents, which are typically issued as PDF (.pdf) documents, should be handled with caution.
Last but not least, it is unlikely that tax forms would ever be transmitted as OneNote documents. Any suspicious emails with this form of attachment and subject should be reported to a manager or IT technician and it is advised not to open the email or any attachments therein.