A new phishing campaign has been spotted that delivers Amadey botnet malware that targets U.S. taxpayers through fake malicious income tax refund emails. The infection chain begins with an email that pretends to be from the Internal Revenue Service (IRS) that informs the recipient that they are eligible for a tax refund. The clever part of this malicious attack is that the attacker does not ask for credentials. Instead, the message provides a temporary username and password to log into the fake IRS portal which is linked in the message body. The fraudulent site is hosted at ‘hxxp://yosemitemanagement[.]com/fonts/page5/’ and after the user logs in with the temporary credentials, informs them that they have a pending refund. Victims are then asked to fill in some personal details and download a ZIP file to claim the refund. If a user downloads the ZIP file, it starts a self-decryption routine and lodges itself in the Windows Registry. Amadey then connects to its Command and Control (C2) to send system diagnostic information and waits for further instructions.
Analyst Notes
Users should adopt a Zero-Trust policy when receiving emails that are not recognized. Also, users that receive this message can hover their mouse over the link to look at the link address. If the link looks suspicious then the recipient should not click the link and delete the email.
