Malspam Duet: Tax Season Phishing Campaigns Deliver LokiPWS and Emotet Malware


March 30, 2022

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Malspam Duet: Tax Season Phishing Campaigns Deliver LokiPWS and Emotet Malware

Every year during tax season, throngs of threat actors and scammers try to defraud the unwary by compromising their devices and data via phishing emails mimicking official tax-related correspondence.

According to researchers at Bitdefender Labs, malicious actors have been busy in the past week pursuing taxpayers across the globe in targeted malicious spam campaigns delivering two infamous credentials-stealing Trojans: LokiPWS and Emotet.

Campaign 1: Unpaid VAT and Loki password stealer

LokiPWS is a Trojan mainly targeting Windows and Android devices to steal sensitive information including usernames and passwords, cryptocurrency wallet data, and other credentials. Like many information-stealers, LokiPWS lets attackers steal sensitive data from infected machines leading to severe privacy issues and financial damage for its victims.

The first malspam campaign delivering LokiPWS was spotted on March 14. 93% of the malicious emails originate from IP addresses in the US.

The attacks spread to Europe and Asia, with 27% of the malicious emails landing in inboxes in the Czech Republic. South Korea received 15% of the malicious emails, followed by Ireland with 13%, India with 10%, the UK with 5%, and Romania, Hungary and Greece, with 3% each. Additionally, 2% of the malicious emails ended up in inboxes in the Ukraine and Germany.

The message, which purport to come from the Domestic Tax Department, ask recipients to look at an attachment “Obligation Value Added Tax.rar” for more details about their unpaid VAT.

A second attempt at delivering LokiPSW was flagged by our researchers on March 18.  Once again, 90% of the malicious emails were sent from IP addresses in the US. The threat actors focused on Ireland, which received 23% of the spam rate by volume, and India with 16%, the UK and Netherlands with 7% each, and the US with 5%, followed by Denmark and Germany, with 4% each.

The attackers updated the email body to include the tax period and larger VAT amount, and have renamed the attachment to “payment defaulter&VAT1.rar.”

Campaign 2: Emotet strikes ahead of tax filing deadline in the US

Since its appearance in 2014, the notorious banking Trojan Emotet has wreaked havoc across the globe, becoming a renowned malware-as-a-service (MaaS) provider used to distribute third-party malicious payloads onto infected devices.

On March 18, Emotet operators began sending thousands of malicious emails impersonating the Internal Revenue Service to American users. The first batch of phishing emails sent from IP addresses in Japan (37%) and Mexico (23%) mainly targeted the US, which received 89% of the entire volume of malicious correspondence. 6% also ended up in UK inboxes.

The attackers use a W-9 tax form (.zip attachment) as bait to infect unwary recipients and keep the email body plain and simple, adding a look of legitimacy to the correspondence by including the IRS logo and contact information.

A second attempt at compromising users was noticed the same day. The same attackers used a variation of the initial phishing emails, updating the attachment to a K-1 IRS form.

How to protect against tax-season scams and malicious phishing

With nearly a month until the April tax season deadline in the US, taxpayers should expect increased malicious activity and prepare accordingly.

While all Bitdefender customers benefit from real-time detection against LokiPSW and Emotet, we urge users to closely inspect any IRS-related correspondence they receive via email, text or direct messages on social media platforms.

In addition to a dedicated security solution to fend off phishing and malware, proper cyber hygiene is crucial to avoid falling victim to fraudsters and tax-related schemes:

  • Never respond to unsolicited correspondence posing as legitimate IRS notifications
  • Don’t provide banking information, PIN codes or passwords
  • Check for spelling and grammar mistakes
  • Don’t open attachments or click on embedded links
  • Always use complex and unique passwords for all your accounts, and enable two-factor authentication where possible

With Bitdefender Total Security and XEDR, users and businesses enjoy the best anti-malware protection, threat detection and response against e-threats across all major operating systems. The real-time protection feature included in our security software protects against new and existing e-threats, including viruses, worms, Trojans, ransomware, zero-day exploits and spyware, keeping you and your data safe.

Note: This article is based on technical information courtesy of Bitdefender Labs




Alina is a history buff passionate about cybersecurity and anything sci-fi, advocating Bitdefender technologies and solutions. She spends most of her time between her two feline friends and traveling.

View all posts

You might also like