New Threat Research: MalSync Teardown: From DLL Hijacking to PHP Malware for Windows  

Read Threat Research

Search

IRS Authorized e-File.com Found Serving Malware

The tax return software provider eFile.com, which is authorized by the IRS, was found to be serving JavaScript (JS) malware on its website. The malware is designed to steal sensitive data such as login credentials and financial information. The malware was seen by multiple security researchers who reported the issue to eFile.com. The company stated that it has resolved the issue and that no customer data had been compromised. However, the incident serves as a reminder for individuals to take precautions when using online tax services and to keep their software updated.

Analyst Notes

Tax season is a major time within the United States that an uptick in cybercrime is seen. As the season winds down, many taxpayers are scrambling last minute to finish up taxes before the 2023 deadline. Whether someone has paid their taxes yet or not, they still need to remain vigilant as many threat actors will still try and find ways to scam or trick victims.

The malicious JavaScript file ‘update.js’, further attempts to prompt users to download a next stage payload, depending on whether they are using Chrome or Firefox. Antivirus products have already started flagging these executables as trojans. These binaries establish a connection to a Tokyo-based IP address, 47.245.6.91, that appears to be hosted with Alibaba. The same IP also hosts the illicit domain, infoamanewonliag[.]online, associated with this incident. Security research group MalwareHunterTeam further analyzed these binaries, and stated that these contain Windows botnets written in PHP.

It is recommended that organizations restrict PHP executions to devices that have a legitimate business use for such features. In additions, behavioral detections for executables download by javascript may be helpful to identify attack attempts by any similar campaigns. Binary Defense’s MDR and Threat Hunting services are excellent solutions to assist with such needs.

The Chrome malicious payload for this campaign has been identified as:
update.exe https://www.virustotal.com/gui/file/882d95bdbca75ab9d13486e477ab76b3978e14d6fca30c11ec368f7e5fa1d0cb

The Firefox malicious payload has been also been identified:
installer.exe https://www.virustotal.com/gui/file/095fbb7685f5ad054bab28346d744e137564beabc33c13a25818936ddc739f5b

https://www.bleepingcomputer.com/news/security/irs-authorized-efilecom-tax-return-software-caught-serving-js-malware/

https://twitter.com/malwrhunterteam/status/1643003319248465928)