Threat Research

Beware of Email Scams Related to Current Events | FortiGuard Labs

Securonix

Threat actors exploit timely events with phishing emails to harvest PII and establish footholds, using Emotet delivered through Excel 4.0 macros in tax-season and Ukraine-related scams. Fortinet FortiGuard Labs observed these campaigns and highlights defenses and training to help users spot suspicious emails. #Emotet #IRS #UN #Ukraine #FortiGuardLabs

Keypoints

  • Phishing campaigns track current events (tax season, Ukraine) to lure targets.
  • Attackers cast a wide net, sending thousands of emails for a high ROI even if a small fraction respond.
  • An IRS-themed email delivers Emotet via a ZIP attachment containing a macro-enabled Excel file (W-9 form.zip).
  • The Excel 4.0 macro is obfuscated and uses hidden sheets to download Emotet from remote locations.
  • Other scams include W-8 form PDFs and refugees/UN donation schemes exploiting urgency and impersonation.
  • Organizations rely on training and technology (Fortinet and Microsoft macro controls) to mitigate these phishing campaigns.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – IRS impersonation email contains a ZIP attachment; β€œThis attack starts with an IRS impersonation email that contains a ZIP attachment called β€œW-9 form.zip”.”
  • [T1204.002] User Execution: Malicious File – The XLM file asks the user to enable macros upon opening the file; β€œThe XLM file asks the user to enable macros upon opening the file.”
  • [T1027] Obfuscated/Compressed Files or Information – The XLM file contains the following obfuscated Excel 4.0 macro; β€œThe XLM file contains the following obfuscated Excel 4.0 macro:”
  • [T1105] Ingress Tool Transfer – Macro downloads a copy of Emotet from multiple remote locations; β€œto download a copy of Emotet from multiple remote locations:”

Indicators of Compromise

  • [URLs] Emotet-related URLs – http://piajimenez.com/Fox-C/dS4nv3spYd0DZsnwLqov/, https://getlivetext.com/Pectinacea/AL5FVpjleCW/, http://inopra.com/wp-includes/3zGnQGNCvIKuvrO7T/, http://biomedicalpharmaegypt.com/sapbush/BKEaVq1zoyJssmUoe/, http://janshabd.com/Zgye2/, https://justforanime.com/stratose/PonwPXCl/
  • [SHA-256] Emotet sample hashes – e5a1123894f01197d793d1fe6fa0ecc2bf6167a26ec56bab8c9db70a775ec6bc, 6fa0c6858688e1c0cbc9072c9d371f2183e0bf0c30a1187453cbbe080e0167ca, and 13 more hashes
  • [Domains] Campaign domains – piajimenez.com, getlivetext.com, servconfig.com, seca.cam

Read more: https://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams