Internal Revenue Service (IRS) is a federal tax administration and collection agency.
In early November, Threat actors sent a phishing email that appeared to be from United States IRS.
This phishing email was discovered by FortiGuard and had been sent by Emotet group using a compromised email account in Pakistan.
This Email consists of two attachments with the subject "IRS Tax Forms K-1" and requires a password to unpack.
The file copies itself into the "Templates" directory and later relaunches the file.
It consists of a malicious Excel 4.0 macro that executes within a workbook that isn't protected and contains URL fragments that download additional payloads.
Emotet payload is downloaded via regsvr32.exe using the command "%WINDIR%\System32\regsvr32.exe /S ..\oxnv[n].ooccxx".
Emotet is a DLL file that utilizes anti-analysis/debugging method and has over 270 export functions.
After Emotet is running, It tries to contact C2 server nodes.
SkyWatchSM Alert Legend
Glesec Information Sharing Protocol
GLESEC CYBER SECURITY INCIDENT REPORTS are in compliance with the U.S. Department of Homeland Security (DHS) Traffic-Light Protocol (TLP).
Disclosure is Not Limited.
Limited Disclosure, Restricted Only to the Community.
Limited Disclosure, restricted to the Participant's Organization.
Not for Disclosure, Restricted/ Classified - Only Shared with US DHS.