IRS Emails Promise a Refund But Deliver Botnet Recruitment

irs phishing mail

The fake emails direct victims to log into a bogus IRS site.

U.S. taxpayers are being offered fake refunds in the latest wave of phishing emails, which ultimately deliver an payload that adds the target machine to the multifunctional Amadey botnet.

Amadey is a relatively new botnet, first noted late in Q1 of 2019, according to Milo Salvia, security researcher at Cofense, writing in an analysis this week. He added that “threat groups like TA505 [the organized crime gang] have been known to leverage the Amadey botnet as recently as July 2019 to deliver secondary malware like FlawedAmmy RAT and email stealers.”

The attack starts with a malicious email; it purports to be from the Internal Revenue Service (IRS) and claims that the recipient is eligible for a tax refund. The recipient is given a “one-time username and password” and urged to click the “Login Right Here” button. That redirects to an IRS login page where the user is prompted to enter the one-time password.

This logs the target into the fake IRS portal, where they’re told they have a pending refund, and are asked to download a document, print and sign, then either mail it back or upload a copy to the portal.

“When the recipient clicks to download the document, a zip file called ‘’ is presented, which contains a Visual Basic script dropper,” explained Salvia. “The VBScript is highly obfuscated and encrypted. Once executed, the script decrypts itself at run time and drops an executable file called “ZjOexiPr.exe” in C:\Users\Byte\AppData\Local\Temp\.”

In turn, this installs another executable file, “kntd.exe in C:\ProgramData\0fa42aa593,” which starts the malware payload process.

The Amadey process installs itself iand to maintain persistence it uses a command line tool for editing the registry. Next the script issues the command, “REG ADD “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders” /f /v Startup /t REG_SZ /d C:\ProgramData\0fa42aa593″ which causes it to reach out to multiple command-and-control (C2) servers via HTTP on Port 80, with system diagnostic information.

The system information includes system identifier and name, Amadey version, OS, antivirus packages installed and user name.

“Known for its simplicity, it is available to hire for a very steep price compared to other commercially available botnets with similar functionality,” Salvia said. That said, its functionality is extremely flexible.

Researchers have seen the bot perform many malicious tasks, such as downloading and executing additional malware, receiving commands from a control server and relaying specific information and telemetry back to the control server, updating or deleting itself, stealing login and password information, logging keystrokes, participating in a Distributed Denial of Service (DDoS) attack or carrying out a ransomware attack.

The FlawedAmmy RAT is one of Amadey’s many observed payloads, which is based on leaked source code for version 3 of the Ammyy Admin remote desktop software, and its features include remote desktop control, file system manager, proxy support and audio chat.

“For infected individuals, this means that attackers potentially have complete access to their PCs, giving threat actors the ability to access a variety of services, steal files and credentials, and much more,” Proofpoint researchers said in a blog on the malware last year. “We have seen FlawedAmmyy in both massive campaigns, potentially creating a large base of compromised computers, as well as targeted campaigns that create opportunities for actors to steal customer data, proprietary information, and more.”

Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don’t miss our free Threatpost webinar, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. Click here to register.

Suggested articles