After the holidays, spammers are now capitalizing on the upcoming tax season.
Recently, Trend Micro threat analysts found spammed messages purporting to come from the Internal Revenue Service (IRS). The spammed message bears the subject “W-2 Form update” and informs users to update the said form because of supposed “important changes.” The W-2 form states an employee’s annual salary and total tax.
The spammed message looks normal since the URLs and phone numbers in it are legitimate. This was probably done so users will not suspect anything. It also encourages users to open the attached .RTF file (Update.doc), which is supposed to be the W-2 form. When users open the .RTF file, however, they will see an embedded .PDF file. This supposed .PDF file is actually an .EXE file that uses the PDF icon. This is detected by Trend Micro as BKDR_POISON.BQA.
BKDR_POISON.BQA is a component of the Darkmoon Remote Administration Tool (RAT), which enables a malicious user to execute commands on the affected system. Interestingly, this backdoor attempts to connect to a private IP address (192.168.29.1). This may be the attacker’s misconfiguration or an attack targeting a specific internal network environment.
In the past, Trend Micro has blogged about how cybercriminals ride on the IRS and the tax season in the following posts:
- Social Engineering Watch: Another IRS Scam
- Fake Form W-8BEN Used in IRS Tax Scams
- Tax Season Is Phishing Season
Users are strongly advised not to open any suspicious-looking emails even though they came from a supposedly known source. It is also recommended that users verify with IRS if the email they received is legitimate or not. Trend Micro protects users from this kind of attack via the Smart Protection Network, which blocks the said spammed messages and detects and consequently deletes related malicious files.