New Phishing Campaign Deploys Amadey Botnet Against U.S. Taxpayers

By Bill Toulas / September 18, 2019

According to a report by the Cofense Phishing Defense Center, there’s a new wave of attacks that distributes the Amadey botnet via phishing emails sent to U.S. taxpayers. Amadey was discovered only recently, at the beginning of the year, and it has had limited deployment due to it’s higher cost. The threat groups that have used it so far deployed it as a dropper of malware payloads, and this is similar to what happens in this latest campaign as well.



Recipients get an email that is supposedly sent from the Internal Revenue Service (IRS), informing them that they are eligible for a tax refund. The taxpayer receives a one-time username and password that are provided to accommodate a login onto the “tax refund platform”. To reach this platform, the recipient is urged to click on a button embedded in the message, which redirects to “hxxp://yosemitemanagement[.]com/fonts/page5/”. Those who won’t notice the URL, and who will be unlucky enough not to receive a warning from their internet protection solution will end up on a webpage that looks like it comes from the IRS. On the top of that page, there’s a pretty big warning informing them of “1 pending refund” that they will get after they sign a file.



Once they login, they are asked to download a document, print it, sign it, and then upload the scanned version onto the portal. Of course, this document is nothing other than a Visual Basic script dropper which will infect the victim’s system with Amadey. The botnet will then use Reg.exe to edit the registry and establish its presence onto the infected machine. Finally, it connects to a whole set of C2 servers and sends system information such as the OS, any anti-virus tools used, the username, and more.



If you receive a message that claims eligibility for a tax refund, just report it as spam and delete it. The IRS does not send email messages to taxpayers for no reason whatsoever. These messages are 100% fraudulent, and no matter how hopeful their contents may be, you should never download and open any files or attachments, “just to check” what they are. Merely executing these files is enough to get you into trouble.

Are you a U.S. taxpayer? Did you receive a message like the one above? Let us know of the details in the comments down below, and help us spread the word of warning by sharing this post through our socials, on Facebook and Twitter.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: