Threat Research

The Taxman Never Sleeps | FortiGuard Labs

Securonix

FortiGuard Labs details a resurgence of Emotet delivering a tax-themed phishing attack purporting to be IRS-related. The chain starts with a compromised Pakistan-based email, moves through a password-protected ZIP containing a K-1 form spreadsheet with an Excel 4.0 macro, then loads a next-stage Emotet payload via regsvr32 and reaches for C2 contact across multiple IPs. #Emotet #Geodo #Heodo #IRS #K1Form #Windows

Keypoints

  • Emotet group (Geodo/Heodo) is active again, delivering a tax-themed phishing email claiming to be IRS-related.
  • The phishing email originates from a compromised account in Pakistan and uses a password-protected ZIP (password “0440”).
  • The ZIP contains a file named K-1 form.xls which embeds a malicious Excel 4.0 macro with an Auto_Open entry to execute code.
  • Six of seven worksheets are protected; the macro operates from the unprotected sheet to trigger payload execution.
  • URL fragments in the Excel data reveal four potential download locations for the next-stage payload (oxnv[n].ooccxx).
  • The Emotet payload is a DLL loaded via regsvr32.exe, stored in a randomly named path under System32, and exhibits many export functions for anti-analysis.
  • Emotet attempts to contact up to 20 C2 IPs, looping through them until a connection is established; Fortinet provides protections and IOCs for defense.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – The email asserts IRS legitimacy and attaches a password-protected ZIP containing K-1 data. ‘The subject and body claim that the recipient’s IRS K-1 forms are attached in a Zip archive encrypted with the password “0440”. The phishing e-mail originated from an organization’s compromised e-mail account in Pakistan.’
  • [T1204.002] User Execution: Malicious File – The recipient is prompted to open K-1.xls, which contains a malicious macro. ‘An entry in “Manage Names”—“Excel_BuiltIn_Auto_Open”—is set to execute a command in a cell in the only sheet in the workbook that isn’t protected.’
  • [T1059.005] Visual Basic – Excel macro uses Visual Basic to run code via a malicious Excel 4.0 macro (Auto_Open) in the unprotected sheet.
  • [T1218.011] Signed Binary Proxy Execution: Regsvr32 – The payload is launched by regsvr32.exe with a path like ‘C:WindowsSystem32regsvr32.exe /S ..oxnv[n].ooccxx’.
  • [T1036] Masquerading – The loader copies oxnv[n].ooccxx to a randomly named directory under C:WindowsSystem32 and renames the DLL to a random name.
  • [T1071.001] Web Protocols – Emotet reaches out to C2 nodes over HTTP/HTTPS, looping through up to 20 IPs until contact is made.
  • [T1105] Ingress Tool Transfer – The next-stage payload is downloaded from four URL locations; the resulting file is named oxnv[n].ooccxx and then loaded.

Indicators of Compromise

  • [File hash] K-1 form.zip – be2bb6f684cd23a66667a563a78ebfa43de4bb958dc0465a830229a9b927b714
  • [File hash] K-1.xls – 8c3cfdd7e1e162129eedf2c3d9f6f63c133622bfe5d04bccbd823486a85b69ed
  • [File hash] oxnv[n].ooccxx – 9efdbe83c874a14282b0105fcec8dc46d9ba1de6496f5d570fa14915b8fd3285
  • [Network] hXXp://www[.]spinbalence[.]com/admin3693/Z6WQpmNRNj6041fU2zpt/ (C2)
  • [Network] hXXp://kabaruntukrakyat[.]com/wp-content/ES/ (C2)
  • [Network] hXXps://chobemaster[.]com/INFECTED/LEdXM4gdwN4mgnlC/ (C2)
  • [Network] 45[.]235[.]8[.]30:8080 (C2)
  • [Network] 94[.]23[.]45[.]86:4143 (C2)
  • [Network] 119[.]59[.]103[.]152:8080 (C2)
  • [Network] 169[.]60[.]181[.]70:8080 (C2)
  • [Network] 164[.]68[.]99[.]3:8080 (C2)
  • [Network] 172[.]105[.]226[.]75:8080 (C2)

Read more: https://www.fortinet.com/blog/threat-research/the-taxman-never-sleeps