IRS spam campaign delivers malware

The end-of-year holidays have come and gone, and holiday scams are for the moment put on hold as tax season is approaching.

TrendLabs warn about the latest spamming campaign delivering malware – emails with the subject “W-2 Form update”, supposedly coming from the IRS, inform users that the form has changed and they need to update it. To do so, they are urged to download the Update.doc file attached to the email.

Upon opening the file, the user finds an embedded PDF file, which is actually an executable taking advantage of the PDF icon. Upon execution, a backdoor is set up on the user’s computer that allows the criminal to execute commands on the machine.

The interesting thing is that the backdoor tries to connect to a a private IP address (192.168.29.1). It is not yet clear if this is because the attacker misconfigured it, or set it up as an attack against a internal network environment.

In any case, users are advised to check with the IRS about the legitimacy of emails claiming to come from their address.