Cybercriminals Spoof Major Accounting and Payroll Firms in Tax Season Malware Campaigns (Apr 8, 2019)
IBM X-Force researchers have identified several tax-themed malspam campaigns that appear to be targeting business and there is the possibility that those business’ customers may become affected as well. The actors behind this campaign are distributing malspam that masquerade as accounting firms, human resource companies, and payroll organizations operating within the US. The impersonated companies include “ADP,” an HR management and services firm, and the payroll provider “Paychex.” The emails attempt to convince recipients into opening a macro-embedded Microsoft Excel document. The heavily obfuscated macro will, if enabled, begin the infection process for the “Trickbot” banking trojan. Trickbot attempts to steal as much data as possible, primarily banking credentials, before sending the information to a Command and Control (C2) server.
Recommendation: The deadline for the US tax season is April 15, and as the tax season winds down threat actors will be attempting to capitalize on tax-themed malicious activity. Everyone in the US should be aware of tax-themed malspam and phishing attempts during tax season. All employees should be educated on the risks of malspam, and how to identify such attempts. Poor grammar and urgent content are often indicators of this type of attack. Additionally, messages that request a recipient to open a file attachment should also be avoided.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.