Tax refund report from IRS contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email regarding a tax refund from the IRS. Some of the most common subjects are:

Federal Tax Report #ID9086
IRS Debt tax #ID2046
IRS recalculation the tax ID#1607
Recalculation the tax #ID7277
Your Tax report #ID2029

The email is send from the spoofed address “International Revenue Service <postal.service@irs.gov>” and has the following body:

IRS notice,

The analysis of the last annual calculations of your fiscal activity has indicated that
you are entitled to receive a tax refund of $243.21
Please submit a request of the tax refund and a processing of the request will take 7-14 days.
A tax refund can be delayed by different reasons.
For instance submission of invalid records or sending after the deadline.

Please find the form of your tax refund attached and fill out it and send a report.

Sincerely,
Internal Revenue Service.

The attached ZIP file has the name IRSPROFILE.zip and contains the 50 kB large file IRSPROFILE.exe.

The trojan is known as Trojan.MulDrop3.52260, Trojan-Spy.Win32.Zbot!IK, Trojan-Spy.Win32.Zbot or Trojan-Downloader.Win32.Dapato.lox.

At the time of writing, only 4 of the 42 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: a112ea4bd8fa523a26a52756cbb7becaced71a6341b98bf59a3b1fb633a90ea2.