A new phishing scam that fools U.S. taxpayers to hand over control of their systems to hackers could result in billions of dollars in personal losses from stolen private information.
The ruse, which began some three months ago, lures taxpayers to open an email-attached document that appears to contain tax-related information but instead releases a malware dropper that connects with a legitimate cloud service, ultimately delivering the Netwire or Remcos remote access trojans (RATs). The hackers use a technique called steganography, where the malicious code is hidden inside a seemingly innocent jpeg file, security provider Cybereason said of its malware discovery.
“The use of various techniques such as steganography, storing payloads on legitimate cloud-based services, and exploiting DLL side loading against a legitimate software makes these campaigns very difficult to detect,” said Assaf Dahan, Cybereason’s senior director and head of threat research. “The sensitive information collected from the victims can be sold in the underground communities and used to carry out all manner of identity theft and financial fraud,” he said.
Remote Access Trojans as a Subscription Service
According to Cybereason, NetWire and Remcos are commercially available online for roughly $10 per month and are also sold on a subscription basis with licensing plans, 24/7 customer support and software updates. Neither RAT are new to the malware scene; Remcos was first identified five years ago and NetWire dates to 2012.
Individuals e-filing tax returns are fertile ground for hackers. According to the Internal Revenue Service (IRS), roughly 90 percent of the 170 million tax returns filed for 2020, or 153 million, are expected to do so electronically. The IRS has pushed back the deadline to file 2020 taxes from April 15, 2021 to May 17, 2021 due to COVID-19. With the filing deadline approaching, Cybereason expects the hackers to make “one more push” with the phishing campaign.
“Social engineering via phishing emails continues to be the preferred infection method among both cyber criminals and nation-state threat actors,” said Dahan. “The potential for damage is serious and the malware allows threat actors to gain full control over a victim’s machine and steal sensitive information from users or their employers,” he said.
How the Malware Works
Additional findings include:
- The malicious documents that infect the user are designed to evade traditional antivirus and heuristic detections.
- The malware uses cloud services such as imgur to store configuration information.
- As a part of the infection process, a legitimate OpenVPN client is downloaded and executed then side loads a malicious DLL that drops NetWire/Remcos.
- Payloads are concealed and downloaded within image files. That they are hosted on public cloud services makes them even harder to detect.
- The malware includes a variety of functions including the remote execution of shell commands on the infected machine, browser credential and history theft, the downloading and execution of additional malware payloads, screen captures and key logging, as well as file and system management capabilities.
Just as an FYI, the IRS never contacts taxpayers by email, text or social media for personal or financial information; or calls taxpayers to threaten lawsuits or arrests; or calls, emails or texts to request taxpayers’ personal identification number (PIN).