U.S. Internal Revenue Service Themed Phishing Campaign Delivers Emotet


  • ransom-4


Internal Revenue Service (IRS) is a federal tax administration and collection agency.

In early November, Threat actors sent a phishing email that appeared to be from United States IRS.

This phishing email was discovered by FortiGuard and had been sent by Emotet group using a compromised email account in Pakistan.

This Email consists of two attachments with the subject "IRS Tax Forms K-1" and requires a password to unpack.

The file copies itself into the "Templates" directory and later relaunches the file.

It consists of a malicious Excel 4.0 macro that executes within a workbook that isn't protected and contains URL fragments that download additional payloads.

Emotet payload is downloaded via regsvr32.exe using the command "%WINDIR%\System32\regsvr32.exe /S ..\oxnv[n].ooccxx".

Emotet is a DLL file that utilizes anti-analysis/debugging method and has over 270 export functions.

After Emotet is running, It tries to contact C2 server nodes.

SkyWatchSM Alert Legend

  • small-bell


  • active-threat0-lt-green

    Active Threat

  • malware-lt-green


  • ransome-lt-green


  • warning-green


  • file-green


Glesec Information Sharing Protocol

GLESEC CYBER SECURITY INCIDENT REPORTS are in compliance with the U.S. Department of Homeland Security (DHS) Traffic-Light Protocol (TLP).

  • TLP-White

    Disclosure is Not Limited.

  • TLP-Green

    Limited Disclosure, Restricted Only to the Community.

  • TLP-Amber

    Limited Disclosure, restricted to the Participant's Organization.

  • TLP-Red

    Not for Disclosure, Restricted/ Classified - Only Shared with US DHS.

Discover Glesec.

Authority. Consistency.

Sign-up today for SkywatchSM Alerts.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.