Microsoft Efile Tax Return Software Malware Detection

November 7, 2023

Microsoft Efile tax return software now includes enhanced malware detection. Secure your financial data with confidence. With U.S. Tax Day approaching on April 18, Microsoft is sharing detections and recommendations to help customers stay protected. Threat actors often align attacks with current events and leverage social engineering lures around high-profile topical subjects, like tax season. This particular campaign leverages phishing emails to deliver Remcos remote access trojan (RAT) and compromise targets.

The phishing campaign

Like other major current events and holidays, tax season provides a tempting opportunity for threat actors to align attacks with social engineering when people may be distracted or more likely to succumb to deception. Indeed, we have observed phishing campaigns delivering banking Trojans and RATs leveraging tax-themed email lures in broad-based and targeted attacks since early February.

In these campaigns, attackers use document attachments containing malicious macros to download and execute payloads. As a typical tactic, attackers advertise overdue taxes or a tax refund in order to trick victims into opening the documents and activating the malicious macros.

These tactics have largely been focused on organizations that deal with financial services, CPA and accounting firms, and professional service firms dealing in bookkeeping and tax preparation. As such, these threats are more targeted than the more indiscriminate attacks seen in other large topical phishing campaigns.

This specific campaign leverages a fake website that mimics the official Spanish tax agency site, with branding and layout based on the legitimate URL. To fool users into visiting the site, attackers include a link in their phishing emails that leads to the fake tax agency page.

Once on the site, the user is prompted to enter their email address and password to access their account. Upon doing so, the user is then redirected to a legitimate looking COVID-19 dashboard (Krebs on Security, 2020). The attackers hope that the user will be lulled into a false sense of security by the appearance of the dashboard and will not question the odd request for their email credentials, which under normal circumstances would raise a red flag.

The compromised user’s data is then sent to a server controlled by the attackers, where it can be used to steal additional information. For example, in one case where the phishing attack was successful, the attackers were able to retrieve the victim’s corporate login information and sell it on the underground markets.

This particular phishing campaign was delivered using the Remcos remote access trojan. This malware is part of the Arkei malware family and operates as a malware-as-a-service, with the threat actors charging for access to their victims’ systems.

The Remcos payload

The phishing campaign delivered Remcos, a remote access trojan (RAT), through the GuLoader downloader. GuLoader has been used by threat actors to deliver a variety of RATs and other malware through phishing campaigns since at least 2021, often by leveraging techniques such as legitimate file-sharing and cloud hosting services for payload storage and delivery and encryption and obfuscation to avoid detection and analysis.

Once the phishing campaign lures the victim into clicking the luring link, they are redirected to an actor-controlled web server that hosts Windows shortcut (.LNK) files containing web requests to actor-controlled domains and IP addresses to download malicious files. Once the attacker successfully delivers their payload, they can take control of the victim’s device and move laterally within the target network.

After executing, Remcos decrypts its configuration block in its PE resource section using RC4. This information includes but is not limited to: the C2 server information, the attacker assigned name to recognize the victim, the registry sub-key for recording keylogger and clipboard data, many flags telling Remcos how to start features in the victim’s device, and the authentication data used to establish connection to the C2 server.

The threat actors

Threat actors exploiting tax season are deploying sophisticated infrastructure, tailored phishing lures and highly coded malware. They’re stealing personal information and executing targeted attacks. They’re using a combination of open source intelligence and compromised staging targets to identify users, and conduct ongoing reconnaissance on target networks.

In the latest wave, Mandiant has identified an actor referred to by US-CERT as “UNC2529.” The first wave, observed between Dec. 11 and Dec. 18, 2020, leveraged a legitimate domain hijacked by the threat actor and altered DNS entries to compromise multiple organizations. This campaign led to the distribution of the second stage payload for the Remcos RAT.

The threat actors conducted open-source reconnaissance on the compromised staging targets, identifying potential targets of interest and intended targets. This reconnaissance included downloading a small photo from a publically accessible human resources page of a target organization. The image, when expanded, showed control systems equipment models and status information. This was a clear indicator of the targeted targeting by the threat actor.

In addition, the threat actors created local accounts to serve a variety of purposes on the compromised servers. Several accounts were named to mimic backup services on the staging targets, while others served specific functions in the ongoing operation. For example, one account was named to appear like a service account and used to remotely access the targeted organization’s network. This account was later used to remove a Forticlient software client from the staging target server.

Another account, named to look like a backup service of the staging server, was also used to retrieve a script from an external location and execute it. This script retrieved additional payloads to be executed on the victim’s system.

While the threat actors’ initial intent in this particular attack is to harvest credentials, they were also observed attempting to install and run a number of open source and free tools on compromised hosts. These tools were based on Python 2.7 and downloaded from publicly available locations.

The threat actors’ attempts to download and run these tools on the compromised staging targets are likely an attempt to detect a security response and prevent detection by their adversaries. To mitigate the risk of this type of exploitation, enterprises should consider disabling auto-mounting for disk image files (.iso,.img,.vhd, and.vhdx) on their enterprise network, and hunting proactively for these indicators of compromise by using the Investigation screen in the Cybereason Defense Platform and the Hunting Queries listed in this alert.

Ammar Fakhruddin


Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.

Preparing Businesses for AI-Powered Security Threats

Preparing Businesses for AI-Powered Security Threats

Preparing businesses for AI-powered security threats. Stay ahead of evolving cybersecurity challenges with proactive strategies and advanced technologies. When AI goes wrong, the repercussions can be devastating. They range from the loss of life if an AI medical...

Reducing CISOs’ Risk with Data Broker Management

Reducing CISOs’ Risk with Data Broker Management

Reducing CISOs' risk with data broker management. Explore strategies to enhance cybersecurity and safeguard sensitive information in the digital landscape. Every time you use a search engine, social media app or website, buy something online or even fill out a survey...

Vulnerability Prediction with Machine Learning

Vulnerability Prediction with Machine Learning

Advance vulnerability prediction with machine learning. Explore how AI can enhance proactive cybersecurity measures to mitigate potential risks. Machine learning is a field devoted to understanding and building methods that let machines “learn” – that is, methods that...

Recent Case Studies

Mid-size US based firm working on hardware development and provisioning, used DevOps-as-a-...
One of the fastest growing providers of wealth management solutions partnered to build a m...
A US based software startup working on the advancements in genomics diagnostics and therap...

Press Releases

News & Events


Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing



About Us