Phishing campaign uses US tax season to lure victims
Researchers at Cybereason have detected a new campaign targeting US taxpayers with documents that purport to contain tax-related content.
These deliver NetWire and Remcos -- two powerful and popular RATs which can allow attackers to take control of the victims' machines and steal sensitive information. The malicious documents used are roughly 7MB in size, which allows them to evade traditional AV mechanisms and heuristic detection.
"Social engineering via phishing emails continues to be the preferred infection method among both cybercriminals and nation-state threat actors. The potential for damage is serious and the malware allows threat actors to gain full control over a victim's machine and steal sensitive information from users or their employers. In this research, we demonstrate how the attackers are leveraging the US tax season to infect targets at will," says Assaf Dahan, senior director and head of threat research at Cybereason.
The malicious payloads are concealed and downloaded within image files using steganography techniques. This, combined with the fact they are hosted on public cloud services such as 'imgur', makes them even harder to detect. As a part of the infection process, a legitimate OpenVPN client is downloaded and executed which then sideloads a malicious DLL that drops the NetWire/Remcos malware.
"The use of various techniques such as steganography, storing payloads on legitimate cloud-based services, and exploiting DLL sideloading against a legitimate software makes these campaigns very difficult to detect," Dahan adds. "The sensitive information collected from the victims can be sold in the underground communities and used to carry out all manner of identity theft and financial fraud."
The campaign has similarities with another campaign seen in April of 2020 which also delivered the NetWire RAT. Both NetWire and Remcos are commercial RATs that are available for purchase online for as little as $10 per month. Both offer various licensing plans and follow the Malware-as-a-Service (MaaS) model, offering their customers a subscription-based model with services such as 24/7 support and software updates.
You can read more, including tips on staying safe, on the Cybereason blog.