Security experts at Cofense uncovered a phishing campaign that is targeting taxpayers in the United States attempting to infect them with a new piece of malware named Amadey.
The Amadey bot is a quite simple piece of malware that is available for hire for
“The Cofense Phishing Defense CenterTM has detected a new wave of attacks targeting the US taxpayer by delivering Amadey
The phishing messages used in this campaign purport to be from the Internal Revenue Service (IRS), they claim that the recipient is eligible for a tax refund.
In classic social engineering attack, the phishing message presents a “one time username and password” to the victims and urges the user to click the “Login Right Here” button.
The login button is an embedded Hyperlink that points to
Once provided the login credentials, the user will be informed of a pending refund and will be asked to download a document, print and sign it. The signed document has to be sent or uploaded to the portal. Experts discovered that when the user attempts to download the document, he will download a ZIP file that contains
The VBScript drops an executable that downloads and executes another executable. To Amadey malware achieves persistence by setting up a registry entry using the Reg.exe command-line tool.
Once the installation process is concluded, the Amedey bot connects to one of the command and control (C&C) servers via HTTP on port 80 and sends it system diagnostic information, then it waits for further instructions.
The Amedey malware sends back to the server several data, including a unique identifier of the infected system, the malware version, operating system, antivirus software, system name, and username.
The analysis published by Cofense includes the Indicators of Compromise (IoCs).
(SecurityAffairs – APT, hacking)