Microsoft is warning of a phishing effort that uses remote access malware to get early access to business networks and targets accounting companies and tax preparers.
With the end of the tax season approaching in the United States, accountants are hurrying to gather their customers’ tax records in order to complete and file their tax returns.
As a result, it is a great time for threat actors to target tax preparers, expecting that they will accept malicious files that they would normally be more cautious with when they are less busy.
This is exactly what Microsoft finds in a new phishing scheme attempting to install the Remcos remote access trojan virus on tax professionals.
“With U.S. Tax Day rapidly approaching, Microsoft has observed phishing attacks targeting accounting and tax return preparation firms to deliver the Remcos remote access trojan (RAT) and compromise target networks beginning in February of this year,” Microsoft cautions in a new study.
Tax professionals are being targeted.
The phishing effort begins with emails posing as clients requesting the essential paperwork to submit their tax returns.
“I apologize for not responding sooner; our individual tax return should be simple and not require much of your time,” a phishing email reviewed by Microsoft states.
“I believe you’d like a copy of our most recent year’s documents, such as W-2s, 1099s, mortgages, interest, donations, medical investments, HSAs, and so on, which I’ve attached below.”
These phishing emails contain URLs that use click-tracking services to avoid detection by security software, eventually leading to a file hosting site where a ZIP archive is downloaded.
This ZIP download contains a slew of files that appear to be PDFs for various tax forms but are actually Windows shortcuts.
When these Windows shortcuts are double-clicked, PowerShell is launched to download a deeply obfuscated VBS file from a remote server, which is then stored to C: WindowsTasks and executed.
Simultaneously, the VBS script will download a bogus PDF file and open it in Microsoft Edge to avoid alerting suspicion in the targeted individual.
According to Microsoft, these VBS programs download and run the GuLoader malware, which then installs the Remcos remote access trojan.
Flow of phishing campaign assaults
Remcos is a remote access trojan that is often used by threat actors in phishing efforts to obtain initial access to corporate networks.
Threat actors can use this access to propagate farther over the network, stealing data and installing other malware on a device.
According to Microsoft, while tax-related themes are widespread in phishing efforts, this campaign is unique in that it primarily targets tax preparation organizations and individuals.
“While social engineering lures like this one are common around Tax Day and other major current events, these campaigns are unusually specific and targeted.”
“This threat exclusively targets organizations involved in tax preparation, financial services, CPA and accounting firms, and professional service firms involved in bookkeeping and tax.”
Because accountants handle extremely sensitive data for individuals and organizations, a data breach in this sort of firm might have far-reaching consequences.
Because the first loaders for the malware in this operation are malicious files that seem like PDF files, we always advise users to allow the display of file extensions in Windows so they can recognize suspicious files.
Unfortunately, Windows shortcuts are a particular file format that utilizes the.lnk file extension but does not display it in File Explorer.
This behavior makes determining if a file is a shortcut more challenging. Listing files in File Explorer in ‘Details’ mode, on the other hand, will display that it is a Windows Shortcut, making it a little easier to find.
Finally, no one should open files or click on links in emails unless they are confirmed to be from a reputable person. If not, delete the email.