Continuing with the never ending series of malware downloaders is an email with the subject of IRS Urgent Notification coming or pretending to come from Dick Richardson who pretends to be an IRS Tax Officer. I have seen dozens of these and they all come from random email addresses. Dick Richardson changes his job in different emails. Sometimes he is a tax officer or a Tax Specialist or Tax department manager as well as an official representative<\/p>\n
These must obviously be aimed at US recipients because The UK does not have an IRS service, we have HMRC. But after following the link and downloading the zip file, you are redirected to the UK gov.uk home page. Anyway, this looks like some sort of ransomware from the virustotal reports, but I am not 100% sure which one.<\/p>\n
Update: I am reliably informed this is Shade\/ Troldesh ransomware<\/p>\n
Other subjects include:<\/p>\n
<\/p>\n
They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium-size businesses, with the hope of getting a better response than they do from consumers.<\/p>\n
This is another one of the files that unless you have \u201cshow known file extensions enabled\u201c, can easily be mistaken for a genuine DOC \/ PDF \/ JPG or other common files instead of the .EXE \/ .JS file it really is, so making it much more likely for you to accidentally open it and be infected.<\/p>\n
Realty.tax.division.xls.zip: Extracts to: Realty.tax.division.xls.js Current Virus total detections: Payload Security shows a download from www.metropolisbangkok.com\/assets\/70958ae0\/fonts\/gcdf\/templates\/winscr.exe ( VirusTotal)<\/p>\n
One of the emails looks like:<\/p>\n
From:<\/strong> Dick Richardson <electric@oceanicresources.co.uk><\/p>\n Date:<\/strong> Thu 01\/09\/2021 19:22<\/p>\n Subject:<\/strong> IRS Urgent Notification<\/p>\n Attachment:<\/strong> link in email<\/p>\n Body content:<\/strong><\/p>\n Dear Citizen,<\/em><\/p>\n My name is Dick Richardson, I am the official representative of the Internal Revenue Service, Realty Tax Department.<\/em><\/p>\n My office is responsible for notification of citizens, description of the tax system for them, supporting citizens on issues related to tax<\/em><\/p>\n procedures, arrears, and payments, etc.<\/em><\/p>\n In the present case, I have to notify you that you have the considerable tax arrears pertaining to your property. More specifically, there<\/em><\/p>\n is the tax debt for your realty \u2013 the realty tax. Generally, we make no actions in case of such delays for 4-6 months, but in your context,<\/em><\/p>\n the overdue period comes to 7 months. Thereby, we must take relevant measures to remedy the situation.<\/em><\/p>\n Particularly for your convenience, our specialists have made the full and comprehensive report for you. It contains the full information<\/em><\/p>\n regarding realty tax accrual, your debt (including the total amount), and the chart of overdue payments for each month of the arrears<\/em><\/p>\n period.<\/em><\/p>\n Please download the report directly from the official server of the IRS, going to the link:<\/em><\/p>\n http:\/\/radiotunes.co.uk\/wp-content\/plugins\/simple-social-icons\/index0.html<\/em><\/p>\n Please study the document at the earliest possible moment. Actually, after receiving this message, you have only 1 day to contact your tax<\/em><\/p>\n manager and provide them with the information you get in the report in order to resolve the problem. Differently, significant charges and<\/em><\/p>\n fines may apply.<\/em><\/p>\n Best Regards,<\/em><\/p>\n Dick Richardson,<\/em><\/p>\n Realty Tax Division<\/em><\/p>\n Internal Revenue Service<\/em><\/p>\n There are loads of other sites in the body of alternative emails downloading the .js file. Some include:<\/p>\n <\/p>\n So far I am seeing very few duplicated download sites. I have received almost 250 copies of this, so there are a lot of compromised sites being used in this malspam run delivering ransomware<\/p>\n All these malicious emails are either designed to steal your Passwords, Bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Or they are Ransomware versions that encrypt your files and demand large sums of money to recover the files.<\/p>\n All the alleged senders, amounts, reference numbers, Bank codes, companies, names of employees, employee positions, email addresses and phone numbers mentioned in the emails are all random. Some of these companies will exist and some won\u2019t. Don\u2019t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found.<\/p>\n The bad guys choose companies, Government departments and organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.<\/p>\n\n