TrendLabs senior advance threats researcher Ivan Macalintal found spammed messages claiming to come from the Internal Revenue Service (IRS). The email message warns recipients of either underreporting or not reporting their incomes in line with the tax season (April). It asks users to click the embedded link to correct the supposed errors.
Once clicked, the URL leads users to download a ZBOT variant detected as TROJ_KRAP.SMDA. Like previously detected ZBOT variants featured in the following entries, this malware also steals information from users’ systems then sends the stolen data to a remote user:
- Bogus IRS W-2 Form Leads to Malware
- Social Engineering Watch: Another IRS Scam
- Tax Season Is Phishing Season
TROJ_KRAP.SMDA also terminates security-related processes and disables Windows Firewall. For more information on the ZBOT malware and the infamous ZeuS botnet, please refer to Trend Micro’s recently published research paper, “Zeus: A Persistent Criminal Enterprise.”
Trend Micro™ Smart Protection Network™ protects product users from this threat by preventing the spammed messages from even reaching users’ inboxes via the email reputation service. It also blocks access to the malicious sites via the Web reputation service and stops the download and execution of the malicious files via the file reputation service.