A new tax-themed phishing campaign is targeting U.S. taxpayers with malware-infected Microsoft Word email attachments that claim to contain tax-related information.
Cybersecurity technology company Cybereason states that opening the Word document displays a blurred background with the prompts "enable editing" and "enable content." Researchers note that hackers use this social engineering method to get users to enable embedded macros on their machine.
After it finishes decrypting, the malicious code downloads an OpenVPN and a trojanized DLL file onto the device. The malware dropper connects to the legitimate cloud service "Imgur" and installs the remote access trojans NetWire and Remcos on their victims' devices. These trojans allow hackers to take control of their victim's machines and steal sensitive information from them.
Both trojans are available for as little as $10 per month through the malware-as-a-service model.
The malware can remotely execute shell commands on the infected device; steal browser credentials and history; download and execute additional malware; screen capture and key log; and manage files and systems.
Researchers at Cybereason say the attack is designed to evade detection by antivirus tools. It uses a technique called steganography to hide malicious code in a jpeg image file that appears to be safe.
Information stolen from victims can be sold in "underground communities" and used for identity theft and financial fraud, according to the senior director and head of threat research at Cybereason.
Paul Bischoff, a privacy advocate at Comparitech, says this is a particularly clever attack because it uses the popular and trusted website Imgur to deliver its payload instead of downloading from the hacker's server.
This new malware attack could lead to large financial losses. The Internal Revenue Service (IRS) identified tax fraud schemes totaling more than $2.3 billion dollars in 2020. Rene Millman "Hackers target US taxpayers with NetWire and Remcos malware" itpro.co.uk (Mar. 19, 2021); Prajeet Nair "Tax-Themed Phishing Campaign Emerges" bankinfosecurity.com (Mar. 19, 2021).