Cyberattackers looking to cash in this year’s tax season are targeting US taxpayers with NetWire and Remcos trojans.
The tax season is on in the US and taxpayers file their returns. Like each year, this is also a time for increased cybercriminal activity. Examples of scams include a fake notice from a bank, demands for student loan repayments, fake criminal investigations by the IRS, or fake notices from financial companies warning of unauthorized transactions.
Cybereason researchers have analyzed an active phishing campaign in which victims receive phishing emails with attached documents; upon opening the docs, malicious macros deploy NetWire and Remcos Remote Access Trojans (RATs).
The research published by Cybereason on Thursday revealed that, once opened, phishing documents will present blurred content and ask victims to enable macros and editing in order to view the text.
After the document gets permissions a “heavily obfuscated” macro drops a malicious dropper with .DLL extension that in its turn downloads the first of the two Trojans in the /temp directory of the victim’s machine.
A rather long attack chain ensues and involves decryption of payload data via an XOR key, a connection to a command-and-control (C2) server, and downloading OpenVPN client along with a side-loaded trojanized .DLL to maintain persistence.
The second Trojans is downloaded from imgur, a popular image hosting service, by hiding it inside an image file in a technique known as steganography.
The capabilities of Remcos and NetWire RAT include screenshots, keylogging, file harvesting, stealing browser logs and clipboard data, theft of OS information, and downloading and executing additional malware.
“The use of various techniques such as steganography, storing payloads on legitimate cloud-based services, and exploiting DLL sideloading against a legitimate software makes these campaigns very difficult to detect,” commented Assaf Dahan, Cybereason head of threat research. “The sensitive information collected from the victims can be sold in the underground communities and used to carry out all manner of identity theft and financial fraud.”