As tax deadlines approach, Emotet malware disguises itself in an IRS email

As tax deadlines approach, Emotet malware disguises itself in an IRS email

With just a few weeks until the April 15 deadline for US individuals and businesses to file their tax returns, scammers are as busy as ever.

Security researchers at Cofsense have warned that they have seen a number of malicious email campaigns which pose as communications from the Internal Revenue Service (IRS).

The emails which purport to come from “”, claim to contain tax forms (such as a W-9) that need to be filled out by the recipient.

However, in truth the bogus emails are an attempt to infect the PCs of unsuspecting computer users with the notorious Emotet malware.

Emotet is an extremely advanced family of malware, which is capable of dropping other malware onto users’ computers.

First rearing its ugly head in 2014 as a banking Trojan horse, Emotet has evolved over the years, sometimes updating itself multiple times a day, as it becomes more sophisticated in its attempt to bypass defences and hit as many victims as possible.

In the latest campaigns, potential victims are duped into opening email attachments and then enabling macros in Office documents which will download and install further malware, and attempt to spread across your company network.

On many occasions Emotet has been deployed by cybercriminals as part of an attempt to ultimately hit an organisation with ransomware, and demand a large ransom.

In an attempt to avoid detection by email-scanning defences, the attachments in some of the latest IRS-related campaigns have been packaged in a password-protected .ZIP archive.



Your email gateway-scanning solution may not know the password that has been used to compress the attachment, but it is contained in the message body – which is enough for a reckless user to decompress the archive file and open its contents.

Bleeping Computer reports that the .ZIP files contain an Excel spreadsheet called “W-9 form.xlsm” which, when opened, prompts the user to enable macros.



Unfortunately, following the boobytrapped spreadsheet’s instructions leads to malicious code being activated.

In the past the IRS has made clear that it never sends out emails about tax refunds or sensitive financial information.

The IRS has published advice on what you should do if you receive a suspicious IRS-related message.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Leave a Reply

Your email address will not be published. Required fields are marked *