Phishing campaign uses US tax season to lure victims

No Comments

Researchers at Cybereason have detected a new campaign targeting US taxpayers with documents that purport to contain tax-related content.

These deliver NetWire and Remcos -- two powerful and popular RATs which can allow attackers to take control of the victims' machines and steal sensitive information. The malicious documents used are roughly 7MB in size, which allows them to evade traditional AV mechanisms and heuristic detection.

"Social engineering via phishing emails continues to be the preferred infection method among both cybercriminals and nation-state threat actors. The potential for damage is serious and the malware allows threat actors to gain full control over a victim's machine and steal sensitive information from users or their employers. In this research, we demonstrate how the attackers are leveraging the US tax season to infect targets at will," says Assaf Dahan, senior director and head of threat research at Cybereason.

The malicious payloads are concealed and downloaded within image files using steganography techniques. This, combined with the fact they are hosted on public cloud services such as 'imgur', makes them even harder to detect. As a part of the infection process, a legitimate OpenVPN client is downloaded and executed which then sideloads a malicious DLL that drops the NetWire/Remcos malware.

"The use of various techniques such as steganography, storing payloads on legitimate cloud-based services, and exploiting DLL sideloading against a legitimate software makes these campaigns very difficult to detect," Dahan adds. "The sensitive information collected from the victims can be sold in the underground communities and used to carry out all manner of identity theft and financial fraud."

The campaign has similarities with another campaign seen in April of 2020 which also delivered the NetWire RAT. Both NetWire and Remcos are commercial RATs that are available for purchase online for as little as $10 per month. Both offer various licensing plans and follow the Malware-as-a-Service (MaaS) model, offering their customers a subscription-based model with services such as 24/7 support and software updates.

You can read more, including tips on staying safe, on the Cybereason blog.

Photo Credit: Vitalii Vodolazskyi / Shutterstock

No Comments

Comments are closed.

Got News? Contact Us

Recent Headlines

TCL 50 XL 5G Android smartphone hits Metro by T-Mobile: Big features, small price

The increasing sophistication of synthetic identity fraud

The NIST/NVD situation and vulnerability management programs

How AI will shape the future of the legal industry

Start menu ads are rolling out to all Windows 11 users -- here's how to turn them off

Qualcomm introduces Snapdragon X Plus for Windows PCs

Free test lets you check how websites measure up to privacy rules

Most Commented Stories

Say goodbye to Microsoft Windows 11 and hello to Nitrux Linux 3.4.0 'pl'

62 Comments

The stunning Windows 13 -- yes, 13! -- is the Microsoft operating system we want

22 Comments

Microsoft 'improves' Windows 11 by bringing ads to the Start menu in the US

21 Comments

Windows 11 slammed for its 'comically bad' performance even on high-end hardware

18 Comments

Microsoft is up to its old tricks yet again -- Windows 10 users harassed with full-screen Windows 11 upgrade warnings

18 Comments

Outrageous: Microsoft to charge $61 for Windows 10 updates -- consider switching to Linux!

18 Comments

Microsoft releases preview version of Office 2024 for Windows and macOS -- download it now!

17 Comments

Easter giveaway! Get a licensed copy of 'VideoProc Converter for Windows/Mac' (worth $78.90) for FREE

10 Comments

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.