US taxpayers are being cautioned by security experts regarding a recent phishing campaign that involves Emotet.

The campaign involves impersonating W-9 tax forms that appear to have been sent by the Internal Revenue Service or one’s employer.

Since Form W-9 requires personal information such as Name, address, and Tax Identification Number, this particular poses a major threat to US citizens.

First reported by Malwarebytes, the Form W-9 is “being used to lure people to download something sinister.”

The Senior Director of Threat Intelligence at Malwarebytes, Jerome Segura uncovered an email sent by the “IRS Online Center,” with an attachment the size of more than 500MB, marked as “IRS Tax Forms W-9.”

You won’t find many genuine Word documents weighing in at 500MB or more. In fact, a file size of 500MB is a potential indicator that Emotet is lurking in the background.

Malwarebytes

Emotet malware operations frequently come out with targeted phishing campaigns that coincide with the holiday season and annual business events, such as the ongoing U.S. tax season.

The good news is due to Microsoft’s default blocking of macros, users are now less inclined to enable them, which reduces the likelihood of them becoming infected by malicious Word documents.

Sadly, many users tend to disregard these alerts and directly authorize the files to run.

After execution, the VBScript will retrieve the Emotet DLL and execute it using regsvr32.exe.

After that, the malware will operate silently in the background, harboring the user’s emails and contact details while waiting for additional payloads to install on the device.

“Emotet has been around since 2014. Originally created as a banking Trojan, later versions added malware delivery and spam services,” said Chris Boyd, the malware intelligence analyst at Malwarebytes.

The malware is mostly distributed through email spam campaigns, with a significant portion of the fake emails used for delivering the infection posing as parcel shipment notifications, invoices, and payment forms.