eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
As the U.S. and Canadian tax season approaches, eSentire has observed a substantial increase in malware being delivered through tax-themed phishing emails. Cybercriminals are exploiting the urgency and importance of tax-related communications to trick individuals into opening malicious email links, leading to malware infections.
The observed phishing campaigns utilize tax-themed lures, including tax documents, tax returns, and IRS letters. These emails often appear to be sent from legitimate tax authorities or financial institutions and include malicious links leading to malware payloads hosted on attacker-controlled infrastructure.
eSentire has observed the following malware families being delivered from tax-themed campaigns: GuLoader (which in turn loads RemcosRAT), XWorm, RattyRat, and SorillusRAT. These malware families provide threat actors with a variety of functionalities including keylogging, taking screenshots, audio and webcam recording, file transfer, and remote code execution.
With the increasing sophistication of tax-themed phishing campaigns, it is crucial organizations implement proactive email security measures, as well as educate users to minimize the risk of malware infections and protect sensitive information, during the tax season and throughout the calendar year.
What we’re doing about it
eSentire MDR for Network has rules in place to identify GuLoader, RemcosRAT, XWorm, RattyRat, and SorillusRAT
eSentire MDR for Endpoint has a wide array of rules in place to detect malicious activity associated with these threats
BlueSteel, via eSentire MDR for Endpoint, identifies malicious PowerShell activity
Known malicious IP addresses are blocked via the eSentire Global Block list
eSentire’s Threat Response Unit released a TRU Positive blog detailing the Ratty RAT and Sorillus RAT infections
The eSentire Threat Intelligence team is actively tracking related threats for additional details and detection opportunities
What you should do about it
Individuals and organizations should be vigilant when receiving unsolicited emails or messages related to taxes
Train users to identify and report potentially malicious content using Phishing and Security Awareness Training (PSAT) programs
Review the example of a malicious email included below (Figure 1)
If not required for a business function, block password-protected zip archives at the email boundary
If not required for a business function, block .jar file attachments in email and block emails with .jar in URLs
Consider removing Java on systems where it is not required
Consider creating a new “Open With” parameters for .jar files so they open with notepad.exe
This setting is found in the Group Policy Management Console under User Configuration > Preferences > Control Panel Settings > Folder Options
Applying this to other script files (.js, .jse, .hta, .vbs) is also recommended for most users to limit the risk of click-to-execute content
Enforce the use of Multi-Factor Authentication (MFA) to limit the value of stolen credentials
Additional information
GuLoader is a sophisticated malware loader which has heavily abused tax-themed lures in 2023. eSentire’s Threat Response Unit reported on GuLoader around tax season last year in both April
and June
of 2023. Starting in early March 2024, eSentire has observed an increase in GuLoader incidents resulting in the deployment of the RemcosRAT malware. In observed incidents, users received tax-themed malicious emails which contain a link to a password protected ZIP archive that impersonates a tax return (Figure 1). The ZIP archive contains an LNK file, which if interacted with, leads to the deployment of GuLoader. GuLoader is then launched resulting in the execution of PowerShell commands, establishing persistence via Registry Run Keys, and ultimately the RemcosRAT payload is injected into the memory of a legitimate process (Figure 2). If not detected and remediated quickly, these incidents will lead to information theft and enable remote control over the victim device.
RemcosRAT, XWorm, RattyRat, and SorillusRAT are all Remote Access Trojans offering various information stealing and remote access capabilities, including keylogging, capturing screenshots, recording audio, transferring files, and remotely controlling target machines.
In a recently observed incident involving XWorm malware, a user was identified downloading a malicious JavaScript file, which was impersonating a tax document; the user was directed to the download page via a malicious email. Upon execution, a PowerShell command was spawned to retrieve the XWorm payload from its Command-and-Control (C2) server. Subsequent JavaScript and PowerShell commands were blocked, via the client’s Endpoint agent, preventing malicious actions from occurring (Figure 3).
For additional technical details relating to recent observations of Ratty Rat and Sorillus RAT, delivered via tax-related lures, see the eSentire TRU Positive blog post Beware the Bait: Java RATs Lurking in Tax Scam Emails, published on February 26th, 2024.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
