Fake IRS Notifications Deliver Malware Infection

We always see a large spike in IRS themed malware around the April 15th tax deadline each year. However, many cybercriminals feel that it’s always a good time to invoke the IRS to trick unwary computer users into having their machines infected. In fact it is quite common that we see a steady diet of IRS themed malware year round.

Today we are seeing over 10,000 messages per hour being quarantined that claim to be tax notifications from the IRS. These messages are almost comical in their wording which warns "there are arrears reckoned on your account" but still will fool some small percentage of those recieving them.

Take a look at the example below:

The messages all have a file attached named Calculations_#54585.zip (with the numeric values randomized). Each archive contains a file calculations.exe. Once executed, a backdoor for communication is opened and the malware begins communication with falcononfly2006.ru via GET requests over port 80. From here a new infection identified as Trojan.Yandere is installed via the backdoor. This Trojan is associated with the ever popular Rogue AV malware family. I know it’s a very frightful feeling to think your arrears have been reckoned but please resist the temptation and steer clear of this one. As always we are blocking all known variants of this threat.