Spoofed IRS notice delivers RAT through link updating trick

The malware delivery trick involving updating links in Word documents is apparently gaining some traction: the latest campaign to use it likely takes the form of fake emails from the Internal Revenue Service (IRS).

spoofed IRS notice delivers RAT

The fake email includes an attachment, supposedly a CP2000 notice, which is sent by the IRS when the income and/or payment information they have on file doesn’t match the information the person reported on his or her tax return. This mismatch could be the result of an error, or an indication that someone else used their name and social security number to file a fraudulent tax return.

Recipients who fall for it and download and open the attached CP2000IRS.doc file are asked to update the document with the data from linked files. If they do, the OLE2 link object embedded in the file will retrieve a malicious HTA script from a compromised FTP server and execute it.

The document exploits the MS Office CVE-2017-0199 vulnerability, fixed last April by Microsoft, but exploited in the wild since January 2017. Obviously, these crooks are still hoping that many users have not yet implemented the patch.

After a successful exploitation of the flaw the script invokes PowerShell to download and execute the actual malware payload: a modified version of the Remote Manipulator System, a remote control application made by a Russian company.

According to Malwarebytes, this RAT has been customised to run without showing the GUI so that the user won’t notice it:


The compromised FTP server from which the script and the payload are retrieved belong to a Norwegian company, which has been notified of the compromise and has hopefully secured it now. The server also hosted other malicious files (estate.xml, qbks.exe), indicating that this is not the only email campaign used to deliver the same RAT.

As always, users are advised to think twice before opening emailed attachments and to carefully inspect unsolicited emails before trusting the message. If in doubt, and the email looks like an official communication, consider verifying its legitimacy by phoning the institution in question for more information – just be sure to source the correct phone number independently of the email.

Don't miss