Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    After the holidays, spammers are now capitalizing on the upcoming tax season.

    Recently, Trend Micro threat analysts found spammed messages purporting to come from the Internal Revenue Service (IRS). The spammed message bears the subject “W-2 Form update” and informs users to update the said form because of supposed “important changes.” The W-2 form states an employee’s annual salary and total tax.

    The spammed message looks normal since the URLs and phone numbers in it are legitimate. This was probably done so users will not suspect anything. It also encourages users to open the attached .RTF file (Update.doc), which is supposed to be the W-2 form. When users open the .RTF file, however, they will see an embedded .PDF file. This supposed .PDF file is actually an .EXE file that uses the PDF icon. This is detected by Trend Micro as BKDR_POISON.BQA.

    BKDR_POISON.BQA is a component of the Darkmoon Remote Administration Tool (RAT), which enables a malicious user to execute commands on the affected system. Interestingly, this backdoor attempts to connect to a private IP address ( This may be the attacker’s misconfiguration or an attack targeting a specific internal network environment.

    Click for larger view Click for larger view

    In the past, Trend Micro has blogged about how cybercriminals ride on the IRS and the tax season in the following posts:

    Users are strongly advised not to open any suspicious-looking emails even though they came from a supposedly known source. It is also recommended that users verify with IRS if the email they received is legitimate or not. Trend Micro protects users from this kind of attack via the Smart Protection Network, which blocks the said spammed messages and detects and consequently deletes related malicious files.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice