In the United States, tax season starts on January 1 and Americans are required to complete their annual tax returns before the April 15, deadline. As is customary at this time of year, new IRS tax refund spam email campaigns have been launched by cybercriminals.

During the first quarter of the year employees must get their tax documents from their employers and collect and collate all paperwork relating to their earnings over the year. Many dread having to pay out thousands of dollars in tax, but for some there is some good news.

The IRS has been sending emails to millions of Americans telling them that their previous tax returns have been assessed and they are due for a tax refund. The notifications have arrived by email and details of the refund are contained in an email attachment. All the recipient needs to do is to open the attached file to find out how much money they are due to have refunded.

Unfortunately, the email notifications are bogus and have not been sent from the IRS. This is just the latest IRS tax refund spam campaign to be launched by cybercriminals. The email is anything but good news. The IRS tax refund spam email contains a zip file, but instead of details of a refund, the file contains a rather nasty selection of malware and ransomware. Worse still, the batch of malware is sophisticated and capable of evading detection. The malware remains resident in the memory of the device used to open the email attachment. The mail recipient is unlikely to discover their device has been infected until it is too late.

If anti-spam solutions have been installed the IRS tax refund spam emails should be caught and quarantined. Even if not, some users will have to try hard to infect their devices. If security software has been installed on the device, opening the attachment should result in warnings being issued. The user will need to ignore those warnings before proceeding. Many do just that. The attraction of a tax refund after overspending at Christmas is too difficult to resist.

For many users the latest strains of malware included in the zip file will not trigger AV engines and even some anti-malware software programs will not identify the files as being malicious. The threat to businesses is therefore serious. If the attachment is opened and run, the malware will be installed and granted the same network and device privileges as the user.

IRS tax refund spam contains CoreBot and the Kovter Trojan

Opening the email attachment will deliver the latest strain of the Kovter Trojan. Kovter is not installed on the computer’s hard drive as commonly occurs with malware. This makes it much more difficult to detect. Instead, malicious code is run with the malware residing in the memory. Memory resident malware does not tend to persist. Once the infected computer is rebooted, the malware doesn’t reload. However, in the case of Kovter it does. Kovter is reloaded via the registry each and every time the computer is booted. Kovter is fileless malware that runs commands via Powershell in a similar fashion to Poweliks. If a computer does not have Powershell installed, the user is not protected. Kovter will just download it and install it on the device.

Kovter is not new of course. It was first identified two years ago, but it has since evolved to evade detection. In addition to being used to deliver ransomware, which locks the computer until a ransom is paid, it is also being used to perform click-fraud and generate revenue for the hackers via CPC campaigns.

Kovter is known to be used on an affiliate basis. Any individual who signs up is paid based on the number of devices they are able to infect. Cybercriminals have been spreading infections via a range of exploit kits such as Angler, Neutrino, and Fiesta. The IRS tax refund spam attack is a new way of getting the malware installed on devices.

The zip file also installs CoreBot; a particularly nasty malware that poses even bigger problems for businesses. If employees are fooled by the IRS tax refund spam and open the zip file, CoreBot can prove particularly problematic to detect, and can potentially cause a lot more damage. CoreBot is a modular malware that can have additional functions added by hackers as and when they desire. It has previously been used as a data stealer, although recently it has been used for man-in-the-middle-attacks on financial applications and web services. The malware is capable of stealing banking credentials and login information. It can also be used to exploit new zero-day vulnerabilities.

It security professionals should be wary and should warn their company’s employees of the tax refund spam, and instruct them not to open any zip file attachments, or any email attachments that have been sent from unknown senders. The IRS will not notify individuals of a tax refund in this manner. Any IRS email with a file attachment is likely to be spam and contain malware.