Microsoft Efile tax return software now includes enhanced malware detection. Secure your financial data with confidence. With U.S. Tax Day approaching on April 18, Microsoft is sharing detections and recommendations to help customers stay protected. Threat actors often align attacks with current events and leverage social engineering lures around high-profile topical subjects, like tax season. This particular campaign leverages phishing emails to deliver Remcos remote access trojan (RAT) and compromise targets.
The phishing campaign
Like other major current events and holidays, tax season provides a tempting opportunity for threat actors to align attacks with social engineering when people may be distracted or more likely to succumb to deception. Indeed, we have observed phishing campaigns delivering banking Trojans and RATs leveraging tax-themed email lures in broad-based and targeted attacks since early February.
In these campaigns, attackers use document attachments containing malicious macros to download and execute payloads. As a typical tactic, attackers advertise overdue taxes or a tax refund in order to trick victims into opening the documents and activating the malicious macros.
These tactics have largely been focused on organizations that deal with financial services, CPA and accounting firms, and professional service firms dealing in bookkeeping and tax preparation. As such, these threats are more targeted than the more indiscriminate attacks seen in other large topical phishing campaigns.
This specific campaign leverages a fake website that mimics the official Spanish tax agency site, with branding and layout based on the legitimate URL. To fool users into visiting the site, attackers include a link in their phishing emails that leads to the fake tax agency page.
Once on the site, the user is prompted to enter their email address and password to access their account. Upon doing so, the user is then redirected to a legitimate looking COVID-19 dashboard (Krebs on Security, 2020). The attackers hope that the user will be lulled into a false sense of security by the appearance of the dashboard and will not question the odd request for their email credentials, which under normal circumstances would raise a red flag.
The compromised user’s data is then sent to a server controlled by the attackers, where it can be used to steal additional information. For example, in one case where the phishing attack was successful, the attackers were able to retrieve the victim’s corporate login information and sell it on the underground markets.
This particular phishing campaign was delivered using the Remcos remote access trojan. This malware is part of the Arkei malware family and operates as a malware-as-a-service, with the threat actors charging for access to their victims’ systems.
The Remcos payload
The phishing campaign delivered Remcos, a remote access trojan (RAT), through the GuLoader downloader. GuLoader has been used by threat actors to deliver a variety of RATs and other malware through phishing campaigns since at least 2021, often by leveraging techniques such as legitimate file-sharing and cloud hosting services for payload storage and delivery and encryption and obfuscation to avoid detection and analysis.
Once the phishing campaign lures the victim into clicking the luring link, they are redirected to an actor-controlled web server that hosts Windows shortcut (.LNK) files containing web requests to actor-controlled domains and IP addresses to download malicious files. Once the attacker successfully delivers their payload, they can take control of the victim’s device and move laterally within the target network.
After executing, Remcos decrypts its configuration block in its PE resource section using RC4. This information includes but is not limited to: the C2 server information, the attacker assigned name to recognize the victim, the registry sub-key for recording keylogger and clipboard data, many flags telling Remcos how to start features in the victim’s device, and the authentication data used to establish connection to the C2 server.
The threat actors
Threat actors exploiting tax season are deploying sophisticated infrastructure, tailored phishing lures and highly coded malware. They’re stealing personal information and executing targeted attacks. They’re using a combination of open source intelligence and compromised staging targets to identify users, and conduct ongoing reconnaissance on target networks.
In the latest wave, Mandiant has identified an actor referred to by US-CERT as “UNC2529.” The first wave, observed between Dec. 11 and Dec. 18, 2020, leveraged a legitimate domain hijacked by the threat actor and altered DNS entries to compromise multiple organizations. This campaign led to the distribution of the second stage payload for the Remcos RAT.
The threat actors conducted open-source reconnaissance on the compromised staging targets, identifying potential targets of interest and intended targets. This reconnaissance included downloading a small photo from a publically accessible human resources page of a target organization. The image, when expanded, showed control systems equipment models and status information. This was a clear indicator of the targeted targeting by the threat actor.
In addition, the threat actors created local accounts to serve a variety of purposes on the compromised servers. Several accounts were named to mimic backup services on the staging targets, while others served specific functions in the ongoing operation. For example, one account was named to appear like a service account and used to remotely access the targeted organization’s network. This account was later used to remove a Forticlient software client from the staging target server.
Another account, named to look like a backup service of the staging server, was also used to retrieve a script from an external location and execute it. This script retrieved additional payloads to be executed on the victim’s system.
While the threat actors’ initial intent in this particular attack is to harvest credentials, they were also observed attempting to install and run a number of open source and free tools on compromised hosts. These tools were based on Python 2.7 and downloaded from publicly available locations.
The threat actors’ attempts to download and run these tools on the compromised staging targets are likely an attempt to detect a security response and prevent detection by their adversaries. To mitigate the risk of this type of exploitation, enterprises should consider disabling auto-mounting for disk image files (.iso,.img,.vhd, and.vhdx) on their enterprise network, and hunting proactively for these indicators of compromise by using the Investigation screen in the Cybereason Defense Platform and the Hunting Queries listed in this alert.
