Cybercrime , Fraud Management & Cybercrime , Social Engineering

Phony IRS Emails Promise Refund, But Deliver Botnet Instead

Cofense: Phishing Campaign Helps Spread the New Amadey Botnet
Phony IRS Emails Promise Refund, But Deliver Botnet Instead

A new phishing email campaign promises to deliver a tax refund, but instead helps spread a botnet called Amadey, according to researchers at the security firm Cofense.

See Also: OnDemand | A Master Class on Cybersecurity: Roger Grimes Teaches Data-Driven Defense

These phishing emails are primarily targeting taxpayers in the U.S., enticing them to click on a malicious document purportedly sent by the Internal Revenue Service to get a federal income tax refund. But by clicking on the attached document, the recipient opens the door to the installation of malicious code on their device designed to help the Amadey botnet grow, Cofense reports

The Amadey botnet was spotted in the wild during the first quarter of this year, according to Cofense. The botnet is being used by threat groups, such as TA505 - which is believed to be based in Russia - to deliver Trojans and other types of malware that can be used to steal credentials, data and bank information (see: TA505 Group Hides Malware in Legitimate Certificates).

"Amadey has been used to target multiple geolocations before, including the U.S.,” Milo Salvia, a threat analyst at Cofense, tells Information Security Media Group. “However, this is the first time we have seen them specifically using the IRS as a delivery method, which would suggest that they were specifically targeting a U.S. audience.”

This is the second time in week that Cofense has warned about the spread of a botnet. Earlier, the firm's researchers, along with several other analysts, spotted the re-emergence of Emotet, which sprung back to life after a nearly four-month absence (see: Researchers: Emotet Botnet Is Active Again).

An Enticing Message

This IRS-themed scam starts with an email promising the victim a tax refund, according to the Cofense analysis.

The phishing email presents the victim with a one-time username and password and urged to click a button that says: "Login Right Here." If clicked, this hyperlink leads to a phony IRS webpage, where the victim is then asked to re-enter the password, according to Cofense.

Screen shot of fake IRS email (Image: Cofense)

Once the password is entered, the victim is asked to download a document from a zip file. This malicious document contains a Visual Basic script dropper, which is obfuscated and encrypted, the Cofense researchers found.

That Visual Basic script, once decrypted, drops two different types of executables, which then help install Amadey within the infected device, according to Cofense. Once installed, the botnet uses Reg.exe, a command-line tool for editing the device's registry, to maintain persistence within the infected device and hide its presence, the researchers say.

Anatomy of IRS-themed phishing attack (Image: Cofense)

Once full installed, Amadey sends out information to command-and-control servers to help spread the botnet, Cofense reports. The botnet can deliver malware, including a remote access Trojan called FlawedAmmyy, which can give cybercriminals complete control over a device and allow them to steal data or burrow further into the network, researchers say.

FlawedAmmyy is closely associated with TA505, a group known to target banks and other financial institutions, according to a previous analysis by Proofpoint.


The Amadey botnet is being licensed to other threat groups and cybercriminals, according to Cofense. "Amadey is commercially available with reports of it being sold on dark web forums to anyone who can afford its $600 dollar license fee," Salvia says. "So theoretically, it's accessible to any minor or major threat group who wants to take advantage of it."

The sale of cybercrime tools is thriving on underground markets, according to a recent analysis by cloud security specialist Armor. The analysis not only found malware and ransomware for sale, but also instructions for how to use money mules and gift cards to hide criminal activity information (see: Cybercrime Black Markets: RDP Access Remains Cheap and Easy).

About the Author

Apurva Venkat

Apurva Venkat

Special Correspondent

Venkat is special correspondent for Information Security Media Group's global news desk. She has previously worked at companies such as IDG and Business Standard where she reported on developments in technology, businesses, startups, fintech, e-commerce, cybersecurity, civic news and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.