'Employee Retention Credit' Email Virus

A new email spam campaign spreading the TrickBot Trojan has been detected. Thousands of weaponized emails are being disseminated with the main targets being U.S.-based users, judging by the fake message used as bait. To get users to interact with the corrupted email attachment, the threat actors have crafted the spam emails to appear as if they are coming from the IRS (Internal Revenue Service) concerning changes to the Employee Retention Credit policies adopted as a response to the COVID-19 pandemic. The IRS is the United States Agency for enforcing the federal statutory tax law and collecting taxes. In turn, the Employee Retention Credit is a legitimate business relief measure that allows eligible employers to receive a refundable tax credit based on certain specifications. 

The claims made in the fake 'Employee Retention Credit' emails, however, are fabricated completely. Their only purpose is to trick the user into opening the attached Microsoft Office Excel document that supposedly contains the newly enacted policies. Instead, the file triggers the attack chain that ultimately drops the TrickBot Trojan on the user's computer.

TrickBot is a versatile Trojan threat that is mainly geared towards information collecting but can be modified to perform a multitude of threatening activities. The information harvested by the threat includes system details, Internet cookies, browsing history, account credentials, auto-fill information, and other sensitive data saved into the browser. The Trojan can conduct phishing operations by scraping the information entered by the user as log-in credentials on various websites. In addition, TrickBot can also obtain the PIN codes of specific US telecommunication service provides which gives the hackers access to the phone numbers of their victims. Newer TrickBot Trojan versions have also been equipped with screen-locker capabilities - the threat will stop the user from accessing the infected device by locking its screen and then demand a ransom.