{"id":127218,"date":"2023-04-13T10:00:00","date_gmt":"2023-04-13T17:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=127218"},"modified":"2024-07-03T08:12:15","modified_gmt":"2024-07-03T15:12:15","slug":"threat-actors-strive-to-cause-tax-day-headaches","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/13\/threat-actors-strive-to-cause-tax-day-headaches\/","title":{"rendered":"Threat actors strive to cause Tax Day headaches"},"content":{"rendered":"\n

Threat actors often take advantage of current events and major news headlines to align attacks and leverage social engineering when people could be more likely to be distracted or misled. Tax season is particularly appealing to threat actors because not only are people busy and under stress, but it is intrinsically tied to financial information. With U.S. Tax Day approaching, Microsoft has observed phishing attacks targeting accounting and tax return preparation firms to deliver the Remcos remote access trojan (RAT) and compromise target networks beginning in February of this year.<\/p>\n\n\n\n

Remcos, which stands for “Remote Control and Surveillance”, is a closed-source tool that allows threat actors to gain administrator privileges on Windows systems remotely. It was released in 2016 by BreakingSecurity, a European company that markets Remcos and other offensive security tools as legitimate software. In 2021, CISA listed Remcos<\/a> among its top malware strains, citing its use in mass phishing attacks using COVID-19<\/a> pandemic themes targeting businesses and individuals.<\/p>\n\n\n\n

While social engineering lures like this one are common around Tax Day and other big topic current events, these campaigns are specific and targeted in a way that is uncommon. The targets for this threat are exclusively organizations that deal with tax preparation, financial services, CPA and accounting firms, and professional service firms dealing in bookkeeping and tax.  This campaign can be detected in Microsoft Defender Antivirus, built into Windows and on by default, as well as Microsoft 365 Defender.<\/p>\n\n\n\n

The campaign uses lures masquerading as tax documentation sent by a client, while the link in the email uses a legitimate click-tracking service to evade detection. The target is then redirected to a legitimate file hosting site, where the actor has uploaded Windows shortcut (.LNK) files.<\/p>\n\n\n\n

\"Screenshot
Figure 1. Remcos malware phishing lure<\/figcaption><\/figure>\n\n\n\n

These LNK files generate web requests to actor-controlled domains and\/or IP addresses to download malicious files. These malicious files then perform actions on the target device and download the Remcos payload, providing the actor potential access to the target device and network.<\/p>\n\n\n\n

Microsoft is sharing this information along with detections and recommendations with the community to help users and defenders stay vigilant against this campaign with Tax Day approaching in the U.S. on April 18. Microsoft 365 Defender<\/a> and Microsoft Defender Antivirus detect and block Remcos and other malicious activity related to this campaign. <\/p>\n\n\n\n

Phishing campaign analysis<\/h3>\n\n\n\n

What we have observed is that the link in the phishing email points to Amazon Web Services click tracking service at awstrack[.]me<\/em>. The initial link then redirects the target to a ZIP file hosted on legitimate file-sharing service spaces[.]hightail[.]com<\/em>. The ZIP file contains LNK files that act as Windows shortcuts to other files. The LNK files make web requests to actor-controlled domains and<\/p>\n\n\n\n

IP addresses to download additional malicious files such as MSI files containing DLLs or executables, VBScript files containing PowerShell commands, or deceptive PDFs.<\/p>\n\n\n\n

\"Screenshot
Figure 2. Unpacked file names referencing tax documents in the malware<\/figcaption><\/figure>\n\n\n\n

In some cases, GuLoader was used to execute shellcode and subsequently download Remcos on the target system. GuLoader is a malicious downloader that has been used by many different actors to deliver a wide variety of malware, including several RATs such as Remcos, through phishing campaigns since it was first observed in the wild in December 2019<\/a>. The downloader uses several techniques<\/a> to evade analysis and detection such as using legitimate file-sharing sites and cloud hosting services for payload storage and delivery as well as encryption and obfuscation of the GuLoader shellcode and payloads.<\/p>\n\n\n\n

Successful delivery of a Remcos payload could provide an attacker the opportunity to take control of the target device to steal information and\/or move laterally through the target network.<\/p>\n\n\n\n

\"Diagram
Figure 3. Tax Day-themed Remcos attack chain<\/figcaption><\/figure>\n\n\n\n

We continue to learn from these campaigns to improve how we protect customers.<\/p>\n\n\n\n

Recommendations and detections<\/h3>\n\n\n\n

Microsoft recommends the following mitigations to reduce the impact of this threat:<\/p>\n\n\n\n