Phishing Campaign Impersonates U.S. Treasury To Steal Taxpayer Credentials
Researches found found a Covid-19 related spam campaign that impersonates the U.S. Treasury Department and steals taxpayer's credentials using a remote access trojan. The fake letter from the Treasury Department tricks the taxpayer to contact Treasury and update their personal information in exchange for a payment that was being held up in their name. The email, which has a subject line of U.S. DEPT. OF TREASURY/PAYMENT and has a CONTRACT PAYMENT.zip attachment, stating that the funds will go to Covid-19 relief efforts if the victim does not contact Treasury by May 30.
Researchers originally identified the malware as the Adwind RAT, but it is actually a new Node.js malware-based remote access trojan that it discovered. This malware, called QNodeService, was analyzed by researchers at TrendMicro. The malware hidden in weaponized attachments can access saved passwords, microphones and webcams, and can log keystrokes.
Hackers are using it to steal login credentials, credit card details and/or some other sensitive information. Users who are tricked into installing them malware may become victims of identity theft, lose access to personal accounts, suffer monetary loss, experience serious problems related to online privacy. Researchers recommend not taking such emails seriously and don't any suspicious-looking files that promise unexpected payments.