Another Tax Season Brings More Phishing Lures and a Variety of Malware

March 01, 2017
Proofpoint Staff

Overview

Tax season and the rounds of phishing lures that accompany it are annual traditions in the US. This year, we tracked malware distribution in addition to the customary phishing schemes among the email threats related to federal taxes. We also saw this tradition extend north of the border to Canada, where taxes are due on April 30th.

Analysis – Malware Delivery

Tax-related themes are frequent lures for phishing emails and websites. This year, though, Proofpoint researchers examined several campaigns that also distributed malware through tax- and IRS-themed emails. In the first campaign we tracked, recipients were encouraged to read the new IRS privacy policy in an attached document. The email contains several elements of social engineering, explaining why recipients needed to open the document and why they should enable the embedded macros -- in this case, a bogus claim of mandatory encryption. Once enabled, the macros download Dridex botnet ID 1105.

Figure 1: IRS tax "privacy policy update" email lure

Another email campaign targeting US recipients offered a special "loyalty tax refund" program. While the social engineering in this lure was far less sophisticated, the attached malicious document delivered Sage ransomware via embedded macros. Sage ransomware made headlines earlier this year for its very large ransoms, generally asking users for $2,000 USD to decrypt their files.

Figure 2: Email lure with attached document that delivers Sage ransomware if the user enables the document macros.

A separate campaign delivering Sage during the third week of February was noteworthy because it used links to zipped JavaScript files (Figure 3) instead of attached malicious documents. The email lure uses a missed payment deadline aligned to the date of the message to create a sense of urgency around the email. When recipients click the link and decompress the archive, the JavaScript file installs Sage.

Figure 3: Tax-themed email lure distributing Sage ransomware via a malicious link to a zipped JavaScript file

Another malicious email campaign leveraging tax-themed lures delivered LuminosityLink via attached macro-laden Excel spreadsheets. LuminosityLink is a remote access Trojan (RAT) that includes a comprehensive keylogger capable of injecting code into most running processes on infected PCs. Proofpoint has also observed LuminosityLink being used to download additional payloads based to targets identified as high value by attackers based on analysis of infected systems. An example of the malicious spreadsheet appears in Figure 4.

Figure 4: Socially engineered spreadsheet with apparent tax deductions and an image explaining why recipients should enable macros

“The Trick”, also known as TrickBot and TrickLoader, has emerged recently as a high-profile banking Trojan with links to the infamous Dyreza banker and the actors behind it. On February 22, we observed a well-crafted socially engineered attack delivering The Trick under the guise of documents to be completed for the Canadian Revenue Agency (the Canadian equivalent of the US Internal Revenue Service).

The professional-looking email, shown in Figure 5, includes instructions and contact information related to the attached “secure documents” (Figure 6). The documents download The Trick when recipients enable macros.

Figure 5: Lure email delivering bogus documents related to Canadian tax information

Figure 6: Lure document that downloads The Trick banking Trojan when recipients enable macros

Figure 7: Email from irs-consultant.com domain

The attached document is blank, but if unsuspecting or curious recipients enable content, macros install Philadelphia ransomware, which was first documented last fall. According to our colleagues at bleepingcomputer.com, “Philadelphia is being sold as a low cost ransomware solution that allows any wannabe criminal to get an advanced ransomware campaign up and running with little expense or complexity.” Figure 8 shows the Philadelphia ransomware ransom screen.

Figure 8: Philadelphia ransomware ransom screen

As these examples demonstrate, tax-themed email campaigns encapsulate the broader trends we highlighted in our 2016 Threat Report: large-scale distribution of ransomware via email, geographic targeting of banking Trojans, variation of payloads, and increasing adoption of URLs in place of document attachments.

Analysis – Phishing

Although the use of tax-related lures and documents to distribute a variety of malware payloads, including relatively new variants like Sage and The Trick, was striking, tax-themed phishing remained the most popular attack. These phishing schemes continue to employ a variety of templates and attack styles and, for the first time, adopted some of the more sophisticated approaches we have previously observed in Gmail and PayPal phishing schemes.

Figure 9 shows an example lure purporting to be from the IRS, although savvy recipients will quickly recognize that the domain is not a valid US government TLD.

Figure 9: Lure email bearing a phishing form

The attached document “IRS-gov Copyright.html” is a phishing page (Figure 10) that sends the personal information collected in the form back to the attacker. The use of HTML attachments rather than links is not a novel approach, but in this case the stolen branding and template used accurately mirror real pages from irs.gov. The email lure, despite some grammatical errors, also effectively uses the stolen IRS branding and imparts a sufficient sense of urgency to encourage users to submit the form.

Figure 10: Phishing page attached to an IRS-themed lure email

This level of quality is not universal, however, as other recent examples feature noticeable grammatical errors and haphazard punctuation that should raise red flags for most recipients.

Many of these phishing pages are based on templates that have been in use for several years. For example, the page in Figure 11 resembles other pages collects much of the same information but has actually been used by phishing actors since 2013 when the PIN fraud attacks were first observed.

Figure 11: PIN fraud attack first used in 2013

W2 forms and requests have become a popular lure in a variety of email based scams. In another example, phishers target personal information via a form to submit federal W2 information, again lifting IRS branding and images directly from IRS.gov.

Figure 12: W2 form phishing template

We have also observed the reuse of forms capturing IRS login information that we first described last year. As noted, phishers extensively reuse templates and related code from previous campaigns, and they have little incentive to innovate extensively as long as existing templates and tools remain effective. While the templates described above continue to be used because they are still effective, we are beginning to see some of the more sophisticated techniques in tax-themed phishing that we have observed in recent PayPal and Gmail phishing campaigns. While still not at the level of these attacks, some are employing the now common technique of utilizing JavaScript AES encryption, allowing page content to bypass intrusion detection systems and many antivirus applications. Combined with fairly convincing social engineering (Figure 13), these newer templates are potentially both more effective and harder to detect.

Figure 13: Fake IRS landing page leading to a template that uses JavaScript AES encryption

Clicking “LET [sic] START” leads to a page where victims begin to enter personal information (Figure 14).

Figure 14: Phishing template utilizing JavaScript AES encryption to bypass intrusion detection systems

Another technique of recent, more sophisticated phishing campaigns is to deliver fake notices to victims while their information is "processing". Figure 15 shows an animation displayed while the page appears to retrieve victims’ most recent tax refund amounts, creating a sense of legitimacy by incorporating the small wait time users would expect from an online form that must find their information from among millions of records.

Figure 15: Animation of the “refund processing” page used in a common phishing campaign.

Starting the refund process brings victims to a page on which they can begin debit/credit card information. After recipients select their bank, a complete debit/credit card phishing page appears (Figure 16).

Figure 16: Credit card phishing page using an IRS-themed template

Once users complete the page, they are presented with a reassuring landing page before they are redirected to the genuine IRS website.

Brands for commercial software and services related to taxes also make popular and realistic lures. For example, we are observing multiple TurboTax templates in circulation right now. Some are single-page template, purportedly used to retrieve account information. Once the first page is complete, the template presents victims with a form requesting additional personal information.

In a nod to the prevalent use of smartphones for many tasks that previously required a PC, other templates offer support for mobile devices, (Figure 17).

Figure 17: TurboTax template with mobile device support

Users now expect mobile tax filing applications to accept images of identifying information and W2s; many templates leverage that expectation and prompt victims to upload these documents which can then be used for identity theft.

Figure 18: Mobile phishing page that prompts victims to upload identifying information. Note the use of the UK-English expression “driving license,” rather than the American-English “drivers license.”

Conclusion

This year, as in most years, tax season brings a variety of phishing schemes seeking to steal important personal and financial information. While we continue to see high degrees of code reuse and template theft, as in broader phishing, we observed a number of more sophisticated campaigns as well that borrowed techniques from phishing schemes we regularly track. Many of these campaigns targeted tax preparation services with a wider variety of templates and lures than we have observed in the past.

At the same time, tax-themed emails were used to distribute relatively new malware variants, reflecting the latest trends we have observed in the broader malware landscape. These shifts, both in techniques and payloads, demonstrated that this well-worn lure is benefitting from updates in email-based attacks. As April 15 approaches, we will continue to watch for additional threats and signs of innovation, and organizations and individuals should remain alert for increasingly sophisticated tax-theme email lures.

IRS / Turbotax ETPRO Coverage

ETPRO CURRENT_EVENTS Successful IRS Phish Sept 14 M1 - 2813012
ETPRO CURRENT_EVENTS Successful IRS Phish Sept 14 M2 - 2813013
ETPRO CURRENT_EVENTS Possible Successful Generic Phish Jan 14 - 2815781
ETPRO CURRENT_EVENTS IRS Phishing Landing Jan 15 - 2815799
ETPRO CURRENT_EVENTS Successful IRS Phish Jan 15 - 2815800
ETPRO CURRENT_EVENTS Successful IRS Phish Jan 22 - 2815926
ETPRO CURRENT_EVENTS Successful IRS Phish Jan 04 2017 - 2824211
ETPRO CURRENT_EVENTS Successful IRS Phish Jan 05 2017 - 2824234
ETPRO CURRENT_EVENTS Successful IRS Phish Jan 20 2017 - 2824570
ETPRO CURRENT_EVENTS Successful IRS Phish M1 Jan 31 2017 - 2824709
ETPRO CURRENT_EVENTS Successful IRS Phish M2 Jan 31 2017 - 2824710
ETPRO CURRENT_EVENTS Successful IRS Phish M3 Jan 31 2017 - 2824711
ETPRO CURRENT_EVENTS Successful IRS Phish M4 Jan 31 2017 - 2824712
ETPRO CURRENT_EVENTS Successful IRS Phish Feb 07 2017 - 2824813
ETPRO CURRENT_EVENTS Successful IRS Phish M1 Feb 22 2017 - 2825069
ETPRO CURRENT_EVENTS Successful IRS Phish M2 Feb 22 2017 - 2825070
ETPRO CURRENT_EVENTS Successful IRS Phish M3 Feb 22 2017 - 2825071
ETPRO CURRENT_EVENTS Successful Turbotax Phish Jan 04 2017 - 2824212
ETPRO CURRENT_EVENTS Successful Turbotax Phish Jan 31 2017 - 2824713

Indicators of Compromise (IOCs)

Dridex 1105

IOC

IOC Type

Description

irsnews[.]info/Policy_Update3.doc

URL

URL to Dridex doc

ff9e17f9692e3f34b68af54ffffb0bbadf8a371f412f0639596f456a9c4f8518

SHA256

Policy_Update3.doc

86[.]110.117.205/0210.exe

URL

Dridex document getting payload

5.101.120[.]73

IP

Dridex Loader C&C

188.226.154[.]38

IP

Dridex Loader C&C

91.121.30[.]169

IP

Dridex Loader C&C

51.254.129[.]140

IP

Dridex Loader C&C

185.129.148[.]246

IP

Dridex Loader C&C

80.90.203[.]245

IP

Dridex Worker C&C

216.126.225[.]189

IP

Dridex Injects C&C

173.196.157[.]250

IP

Dridex Injects C&C

Sage - Attachment

IOC

IOC Type

Description

016358afcd1e0c6ed8efb490e6ad38724048bf81cc0620de9c4b39f6d81d14ba

SHA256

Attachment

hxxp://tiranainternational[.]com/hoteltiranacom/joomla_style[.]jpg

URL

Document payload

mbfce24rgn65bx3g.pbt2ac[.]com

Hostname

Sage C&C

mbfce24rgn65bx3g.9dpnlu2[.]com

Hostname

Sage C&C

7gie6ffnkrjykggd[.]onion

Domain

Sage payment

7gie6ffnkrjykggd.pbt2ac[.]com

Hostname

Sage payment

7gie6ffnkrjykggd.9dpnlu2[.]com

Hostname

Sage payment

Sage - URL

IOC

IOC Type

Description

mangosdemadera[.]com/wp-includes/info.php

URL

URL in email

29138552aee9e03bbc5b426c8b36b5f5ce87c2034ee58c9578aaa6f0f6571d3a

SHA256

Information.zip downloaded from initial URL

29138552aee9e03bbc5b426c8b36b5f5ce87c2034ee58c9578aaa6f0f6571d3a

SHA256

info_344.js inside information.zip

hxxp://taxinginfo.trade/file[.]jpg

URL

JavaScript payload

mbfce24rgn65bx3g.io23zc[.]com

Hostname

Sage C&C

LuminosityLink

IOC

IOC Type

Description

9e8044e15bb15c01a3d9b4c917736d25301e3bc2db7b4a214d0461418b829a6b

SHA256

Attachment

The Trick

IOC

IOC Type

Description

fcdfe2b640fd560c2c72becd2dc27e004cd91638a47ce5845b5ec3b338c0e190

SHA256

Attachment

Philadelphia - Attachment

IOC

IOC Type

Description

7bf232cf3fd70906d8fa3a7dc9569d1d67ebb72303a710c3f55ce0564e250231

SHA256

Attachment

hxxp://worldprocessing.co/philly-germany[.]exe

URL

Document payload

hxxp://apocalipsisz.es/bridge[.]php

Domain

Philadelphia C&C

hxxp://clearvisionwear.us/wp/bridge[.]php

Domain

Philadelphia C&C

hxxp://iigenesis.com/bridge[.]php

Domain

Philadelphia C&C

hxxp://philipjonescoachhire.com/bridge[.]php

Domain

Philadelphia C&C

2013 phish page

IOC

IOC Type

Description

hxxp://weareagenius.com/wp-content/plugins/gravityforms/fonts/irs=gov/confirm.mem/start[.]php

SHA256

Phishing landing page

W2 phish page

IOC

IOC Type

Description

hxxp://www.tashconferences[.]com/new/w2-form/

SHA256

Phishing landing page

AES phish page

IOC

IOC Type

Description

hxxp://www.tax-refund-irs-gov.radyobabil[.]com/

SHA256

Phishing landing page

TurboTax mobile

IOC

IOC Type

Description

hxxp://tapeunlimited[.]com/js/zip/index/

SHA256

Phishing landing page