Tax-themed phishing emails targeting CTOs of tech companies have been spotted by researchers at Talos, Cisco’s security intelligence and research group.
The initial emails, sent from a spoofed .gov email address, claimed that the recipient’s federal tax payment was received, and that they could print out a receipt: a Word document attached to the email.
This first run obviously wasn’t very successful, so they changed the text for the later attempts, saying that the payment was not received and that they should download and edit the attached “confirmation file” and send it back to the sender.
In both cases, the attached file was a specially crafted Word document that instructed users to enable MS Office macros in order to view its contents (macros are disabled by default).
But, by doing that, the recipients would allow the document to drop several malicious files, which ultimately lead to a variant of the Vawtrak banking Trojan to be downloaded on the target’s computer.
While I doubt that this campaign has had much success given the technical profile of the targets, everyone can have a moment of distraction and do what they usually wouldn’t, so it’s good to remind oneself to always be on high alert when checking out received emails.
Vawtrak is a Trojan aimed at collecting targets’ login credentials for (mostly) online banking services offered by a huge number of financial institutions around the world, but also for several of the most popular Internet services (Facebook, Twitter, etc.) and retail websites such as Amazon.
Trend Micro researchers have also recently warned about FedEx and American Airlines-themed spam campaigns using this same approach (social engineering + Word document that requests macros to be enabled) and delivering the same malware (Vawtrak).