Hackers are once again using the TrickBot banking trojan to exploit the tax season by pushing malicious Microsoft Excel spreadsheet documents via spam campaigns. IBM noticed a few different types of phishing emails are pretending to be from ADP and Paychex which are malicious emails spreading the TrickBot trojan.
“Taxpayers should be on constant guard for these phishing schemes, which can be tricky and cleverly disguised to look like it’s the IRS,” said IRS Commissioner Chuck Rettig. “Watch out for emails and other scams posing as the IRS, promising a big refund or personally threatening people. Don’t open attachments and click on links in emails. Don’t fall victim to phishing or other common scams.”
An IBM security person mentioned:
“Once TrickBot is installed on a potentially vulnerable device and can reach other devices on the network, it can further spread and pivot,” researchers with IBM X-Force warned in a Monday analysis. “Finding only one unaware person in an organization is usually enough for attackers to get their foot in the door.”
How does this work?
When the phishing emails that have the malicious excel document with an embedded macro it will downloaded the the payload files which executes the TrickBot malware.
When the computer is infected with the malware, “the cybercriminals operating it have complete control and can do just about anything they wish on your device, including spreading to other computers on your network and emptying your company’s bank accounts, potentially costing millions of dollars,” researchers said.
Everyone should be wary of tax-related unsolicited emails. Make sure macros are disabled by default in Office documents, block all URL and IP-based IoCs at firewalls and keep all critical and noncritical systems up to date and patched, make sure that you have proper antivirus software in place and follow proper email best practices.