New phishing campaign targets taxpayer credentials

A new phishing campaign is targeting U.S. taxpayers with documents that purport to contain tax-related content, but ultimately deliver NetWire and Remcos malware – two prolific remote access trojans (RATs) which allows attackers to take control of victims’ machines through a new phishing email scheme, Cybereason discovered.

phishing taxpayers

The scam could result in steep financial losses for taxpayers. Last year alone, the IRS identified more than $2.3 billion in tax fraud schemes.

The new infection process is designed to evade antivirus tools and tricks targets into installing the malware via a tax-themed Word Document containing a malicious macro that downloads an OpenVPN client on the targeted machine.

The malware dropper establishes a connection to the legitimate cloud service “imgur” and downloads the NetWire or Remcos payloads by way of a technique called steganography, where the malicious code is hidden within an innocuous looking jpeg image file.

Key findings

  • Threat actors at work: Since the beginning of the year or earlier, threat actors have been luring early tax filers into opening malicious attachments via email – with the filing deadline around the corner, they are making one more push.
  • Evading heuristic and AV detection mechanisms: The malicious documents that infect the user are designed to evade traditional antivirus and heuristic detections.
  • Abuse of legitimate cloud services: The malware uses cloud services such as “imgur” to store configuration information.
  • Exploiting legitimate OpenVPN clients: As a part of the infection process, a legitimate OpenVPN client is downloaded and executed then sideloads a malicious DLL that drops NetWire/Remcos.
  • Steganography: Payloads are concealed and downloaded within image files, and combined with the fact they are hosted on public cloud services makes them even harder to detect.
  • Netwire and Remcos are popular RATs: NetWire has been around in one form or another since 2012, while Remcos first emerged in 2016.
  • Electronic filings on the rise: According to the IRS, nearly 170 million tax returns were filed in the U.S. in 2020. Of those, nearly 153 million were filed electronically.

The malware includes a variety of functions including the remote execution of shell commands on the infected machine, browser credential and history theft, the downloading and execution of additional malware payloads, screen captures and keylogging, as well as file and system management capabilities.

Both NetWire and Remcos are commercial RATs that are available for online for as little as $10 per month, and both include following the Malware-as-a-Service (MaaS) model, offering their customers subscription-based services with choice of licensing plans, 24/7 customer support and periodic software updates.

“Social engineering via phishing emails continues to be the preferred infection method among both cybercriminals and nation-state threat actors. The potential for damage is serious and the malware allows threat actors to gain full control over a victim’s machine and steal sensitive information from users or their employers. In this research, we demonstrate how the attackers are leveraging the U.S. tax season to infect targets at will,” said Assaf Dahan, senior director and head of threat research at Cybereason.

“The use of various techniques such as steganography, storing payloads on legitimate cloud-based services, and exploiting DLL sideloading against a legitimate software makes these campaigns very difficult to detect. The sensitive information collected from the victims can be sold in the underground communities and used to carry out all manner of identity theft and financial fraud,” added Dahan.

Tips to enhance safety when filing tax returns

  • Don’t click on links or open attachments in email: The threat actors use social engineering to steal sensitive information because a large percentage of targets will click on links or open attachments in their email without thinking twice. Never open attachments or click on links from untrusted sources.
  • Call the company or go directly to the company’s website to look for related info: If you receive an email or correspondence related to tax filing, consumers should call the company directly to confirm if they are communicating to customers via email.
  • Use two-factor authentication: Use multifactor authentication on accounts such as a SMS text, a fingerprint reader or face recognition to better protect personal information.
  • Protect the devices in your possession: Make sure your mobile devices are configured to automatically update critical software.
  • Use security software to protect your personal devices: Use an endpoint security solution to protect personal devices.

The IRS will never:

  • Initiate contact with taxpayers by email, text or social media to request personal or financial information.
  • Call taxpayers with threats of lawsuits or arrests.
  • Call, email or text to request taxpayers’ Identity Protection PINs.

Don't miss