For most people, taxes are a certainty. In the United States and Canada, tax forms are usually submitted by individuals and businesses in the spring (although, due to COVID, extensions were granted for anyone that asked for them). So, our interest was piqued when we came across an e-mail that included a tax form seemingly from the United States Internal Revenue Service (IRS) in early November.
Affected Platforms: Windows
Impacted Users: Windows users
Impact: Potential to deploy additional malware for additional purposes
Severity Level: Medium
The e-mail FortiGuard Labs discovered was, unsurprisingly, malicious. But what was interesting was that it had been sent by the recently resurgent Emotet group. Emotet (aka, Geodo and Heodo) began life as a banking Trojan but has since morphed into a jack-of-all-trades tool that can exploit several vulnerabilities to compromise its victims. Once it has infected a system, it then typically delivers additional payloads. And because it’s modular, it is easily customizable by its users. This flexibility and resiliency are part of why Emotet has managed to survive at least one coordinated industry/law enforcement takedown in 2021.
The phishing e-mail
Although claiming to be from “IRS.gov,” this phishing e-mail originated from an organization’s compromised e-mail account in Pakistan. The subject and body claim that the recipient’s IRS K-1 forms are attached in a Zip archive encrypted with the password “0440”.
Schedule K-1 is a US federal tax document that reports income, losses, and dividends for a business or financial entity’s partners or an S corporation’s shareholders to the IRS. Because the content from these forms must be added to an individual’s annual tax form, they must be submitted one month prior (March 15) to the individual income tax submission deadline of April 15. This is why seeing a Schedule K-1 form attached to an email on November 8th was a red flag.
Figure 1. Phishing e-mail.
A Zip archive, “K-1 form.zip”, and an image of the IRS logo are attached to the email.
K-1 form.zip
Figure 2. Encrypted and password-protected Zip archive.
This “K-1 form.zip” file is an encrypted Zip archive that requires a password to unpack. Its password, “0440”, is included in the body of the e-mail. It allows the “K-1 form.xls” to be opened.
K-1 form.xls
Once opened, the file is an Excel spreadsheet with an interesting banner. It exhorts the user “in accordance with the requirements of your security policy” to copy the file into the “Templates” directory of whichever version of Microsoft Office is being used and then relaunching the file.
Figure 3. K-1 form.xls as it appears to the user.
The file has several worksheets (seven in total). Six of those sheets are protected, so they can’t be changed, and the user cannot view their contents directly.
As you might suspect, this spreadsheet includes a malicious Excel 4.0 macro. An entry in “Manage Names”—“Excel_BuiltIn_Auto_Open”—is set to execute a command in a cell in the only sheet in the workbook that isn’t protected.
Figure 4. Auto-open settings for the spreadsheet.
A deeper look at Sheet6 shows that column “G” has been hidden.
Figure 5. Columns E, F, and H, with column G hidden
Python scripting reveals more information about how this malicious file functions.
Figure 6. Details of the K1 form.xls hidden from view.
Using the Python library “openpyxl”, we could view details hidden in each of the worksheets. As shown in Figure 6, several rows and columns have hidden content.
For example, by drilling deeper into the data for “Sheet4,” several URL fragments are revealed.
Figure 7. URL fragments in Sheet 4.
Some further scripting helps piece these fragments together.
Figure 8. URL fragments pieced together.
This reveals four possible download locations for the next stage payload.
Figure 9. Possible payload download locations.
Depending on which URL is used, the downloaded payload is saved as oxnv1.ooccxx through oxnv4.oocccxx. It then calls and attempts to launch this payload via “regsvr32.exe” using the command “C:WindowsSystem32regsvr32.exe /S ..oxnv[n].ooccxx”.
This executable is Emotet.
oxnv[n].ooccxx
The Emotet payload is a Windows Dynamic Link Library (DLL) file. Our analysis shows that it was compiled just before the email for this campaign was sent out.
Figure 10. Emotet file timestamp.
Unusually, this DLL has over 270 export functions!
Figure 11. A partial list of export functions.
As can be seen in Figure 11, the function names are randomized. The vast majority offer a return to the caller. This appears to be an anti-analysis/anti-debugging method.
Figure 12. Typical export function.
Figure 13. The same function as code.
When executed, “oxnv[n].ooccxx” is copied to a randomly named directory under “C:WindowsSystem32” and then renamed to an equally random name. The regsvr32.exe process is restarted to use the renamed file in its new location.
Figure 14. Randomly named directory under “C:WindowsSystem32”.
Figure 15. Randomly named DLL inside a randomly named directory.
Figure 16. Process restart.
Once Emotet is up and running, it attempts to contact one of its Command and Control (C2) server nodes. In this case, 20 possible IPs are used (shown in the IOC section below). The malware loops through each sequentially until contact is made. If the attempts are unsuccessful, it pauses and then cycles through again for as long as required.
Conclusion
The spectre of the IRS is not a new phishing lure, especially during tax season. Even though the IRS will never initiate contact with taxpayers by email, few things motivate recipients to act (and, as a result, be less cautious) than thinking the IRS has contacted them. This threat is especially interesting because it was delivered outside the usual time frame for tax-based phishing. It is also a warning that when you receive an unusual email like this, it is best to treat it with caution because Emotet and other similar threat actors will be hoping that fear will cause caution to be abandoned.
Fortinet Protections
Fortinet customers are already protected from this malware through FortiGuard’s Web Filtering, AntiVirus, FortiMail, FortiClient, and FortiEDR services, as follows:
The following (AV) signatures detect the malware samples mentioned in this blog
MSExcel/Agent.DKF!tr.dldr
W32/Emotet.PACA!tr
The WebFiltering client blocks all network-based URIs.
Fortinet has multiple solutions designed to help train users to understand and detect phishing threats:
The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.
In addition to these protections, we suggest that organizations have their end users undergo our FREE NSE training: NSE 1 – Information Security Awareness. It includes a module on Internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks.
IOCs
File-based IOCs:
Filename |
SHA256 |
K-1 form.zip |
be2bb6f684cd23a66667a563a78ebfa43de4bb958dc0465a830229a9b927b714 |
K-1.xls |
8c3cfdd7e1e162129eedf2c3d9f6f63c133622bfe5d04bccbd823486a85b69ed |
oxnv[n].ooccxx |
9efdbe83c874a14282b0105fcec8dc46d9ba1de6496f5d570fa14915b8fd3285 |
Network-based IOCs:
IOC |
IOC type |
hXXp://www[.]spinbalence[.]com/admin3693/Z6WQpmNRNj6041fU2zpt/ |
C2 |
hXXp://kabaruntukrakyat[.]com/wp-content/ES/ |
C2 |
hXXps://chobemaster[.]com/INFECTED/LEdXM4gdwN4mgnlC/ |
C2 |
hXXp://cngst[.]com/data/fXWpDbJ3KwAybE/ |
C2 |
45[.]235[.]8[.]30:8080 |
C2 |
94[.]23[.]45[.]86:4143 |
C2 |
119[.]59[.]103[.]152:8080 |
C2 |
169[.]60[.]181[.]70:8080 |
C2 |
164[.]68[.]99[.]3:8080 |
C2 |
172[.]105[.]226[.]75:8080 |
C2 |
107[.]170[.]39[.]149:8080 |
C2 |
206[.]189[.]28[.]199:8080 |
C2 |
1[.]234[.]2[.]232:8080 |
C2 |
188[.]44[.]20[.]25:443 |
C2 |
186[.]194[.]240[.]217:443 |
C2 |
103[.]43[.]75[.]120:443 |
C2 |
149[.]28[.]143[.]92:443 |
C2 |
159[.]89[.]202[.]34:443 |
C2 |
209[.]97[.]163[.]214:443 |
C2 |
183[.]111[.]227[.]137:8080 |
C2 |
129[.]232[.]188[.]93:443 |
C2 |
139[.]59[.]126[.]41:443 |
C2 |
110[.]232[.]117[.]186:8080 |
C2 |
139[.]59[.]56[.]73:8080 |
C2 |
Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.
Source: https://www.fortinet.com/blog/threat-research/the-taxman-never-sleeps