TA505 threat group campaign that masquerades as email from “National Tax Inspectorate for interrogation”.
The initial point of infection sources from an email with the subject “National Tax Code”. Example email:
This spreadsheet contains malicious macros that, once enabled, download and execute the first stage malware “wiskkk.exe”. This executable downloads and executes winserv.exe, the final stage malware, also known as RMS (Remote Manipulator System). RMS is a known remote administration tool by TektonIT and allows complete access to the target system.
Unauthorized system access
Indicators of Compromise
IP(s) / Hostname(s)
Malware Hash (MD5/SHA1/SH256)
National Tax Code