A group of criminals is carrying out phishing campaigns impersonating the Tax Agency, through email, using techniques such as the reuse of templates and the inclusion of malicious attachments.
This has been reported ESET. In the first case, the objective is to make the user believe that they have received a legitimate notification from the Agency and click on a link that will take them to a fraudulent page where they will be asked for their credentials.
In the second case, a compressed file containing malicious code intended to steal personal information stored on infected systems is attached. In both, criminals try to build trust by using senders that appear to be legitimate, but are actually fake.
Phishing Tax Agency and National Factory of La Moneda and Stamp
In recent days, it has been seen that not only the same campaign as the previous one is being spread, but there is also another malicious email that contains a file designed to steal personal information from infected systems. This technique is more advanced as it uses malicious code to collect information instead of tricking the user into entering it manually.
These are the campaigns that try to supplant the Tax Agency about to start the income statement
The sender of the email seems to be related to the Fábrica Nacional de La Moneda y Timbre, but it is just a tactic to build trust in the victims. As in the previous email, the email reports an alleged notification from the Tax Agency and attaches a file that some users may open thinking that it is the notification.
However, the zipped attachment does not contain any document resembling a notification. Instead, we found a .bat file which is actually an executable file with the renamed extension and which contains the malicious code responsible for executing the initial phase of the malware.
This time it is a variant of the NSIS/Injector.BVJ Trojan, which is frequently used by criminals as first stage malware and which downloads and executes the malicious payload chosen for this campaign on the system. This malware is of the infostealer type and can steal credentials in applications such as web browsers, mail clients, FTP and VPN clients, among others.
Since this campaign is aimed at Spanish users, it is likely that the largest number of detections are occurring in Spain, although similar campaigns are being prepared and distributed in other countries, adapting them to the agencies responsible for collecting taxes in each country.