silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,057
A new variant of the the NetWire remote access trojan (RAT) is hitching a ride on IRS-themed phishing ploys targeting taxpayers in hopes of snatching victims’ credentials and tax information.
The recently uncovered campaign reveals the RAT’s operators swapping up infection tactics to use a legacy Microsoft Excel 4.0 Macro, helping them sidestep detection and analysis efforts. The NetWire variant’s payload has also been given a facelift, with improved keylogger and credential-collecting features.
“In this new variant, I noticed that it has improved its feature that collects credentials from the victim’s system,” said Xiaopeng Zhang, with Fortinet in a Tuesday analsysis. “It also fixed some bugs in the keylogger, which were wrongly recorded Esc as Ctrl in previous versions.”
NetWire has been spreading widely over the past few years, focused on stealing credential information, logging keystrokes and stealing hardware information. This latest campaign extends these capabilities by targeting taxpayers (many of whom are in the midst of the extended tax deadline) specifically, aiming to capture their screens as they fill out tax forms, check their online bank accounts, or write private emails, Zhang warned.
The malspam emails purport to contain an important Internal Revenue service (IRS) letter about 1040 and W2 U.S. tax forms. The emails come with an OLE (Object Linking and Embedding) format Excel file attachment, named “1040 W2 IRS letter.xls.” When the victim clicks on the attachment, a Microsoft Excel sheet opens, which shows some obfuscated IRS forms in the background, with an aim to make the file appear legitimate. Victims are asked to click the “Enable Content” button to show the clear forms – which instead enables the malicious Excel 4.0 Macro to be executed.