April brings tulips, taxes ... and phisherfolk scammers

The last few days of America's tax season are stressful enough, dealing with deadlines and, increasingly, online scams. Now comes another one, a sophisticated and ongoing phishing campaign by a threat group dubbed "Tactical#Octopus" that is using tax-related lures to spread malware.

Threat researchers at cybersecurity firm Securonix said the gang – which may be based in Russia – sends emails containing a password-protected zip file (with the password included in the body of the email) with names that sound like they could be tax-related, such as TitleContractDocs.zip or JRCLIENTCOPY3122.zip.

The Tactical#Octopus group, which is targeting people in the US, also use what seem to be valid tax forms and contracts.

"Some of the lure documents observed contained employee W-2 tax documents, I-9, and real estate purchase contracts," the researchers wrote in a report.

As with most phishing scams, the problems begin when the victim clicks on the zip file. Inside are two files, a single image file – usually a .png file – and a shortcut (.lnk) file. Double clicking on the shortcut kicks off the attack.

"Behind the lure document attachment is interesting malware which features stealthy AV [antivirus] evasion tactics, layers of code obfuscation and multiple C2 (command and control) channels," the researchers wrote, adding that the initial compromise is fairly complex.

"The initial code execution tactic through .lnk file execution is trivial and used by many threat actors these days. However, the PowerShell and VBScript code used are unique and sophisticated, especially from an AV avoidance and obfuscation standpoint, making this campaign important to watch."

It's a multi-step attack

After the shortcut file is opened, the heavily obfuscated VBScript is launched, containing nonsensical sentences used to evade detection by antivirus tools. Next comes the PowerShell code, which includes unconventional obfuscation methods, including manipulating strings of text pulled into it by passing it into a function called "Unrhe9" and converted into valid PowerShell syntax, which is then executed.

The next stage of the PowerShell execution also includes similar obfuscation techniques. The code, when made readable, looks similar to code that has been seen in the wild executing other attacks involving Cobalt Strike and backdoor remote access trojans (RATs), like Kovter.

After the binary payload – also obfuscated – is launched and one of the three C2 servers linked to the campaign is contacted, attackers can access to the targeted system. The Securonix researchers saw the ieinstal.exe binary capturing clipboard data and recording keystrokes as soon as it was up and running.

Two of the three C2 IP addresses were registered to a company called Petersburg Internet Network in Russia. The third address was registered to Des Capital in the US.

• Why a top US cyber spy urges: 'Get religion on backups'
• Ukrainian cops nab suspects accused of stealing $4.3m from victims across Europe
• AlienFox malware caught in the cloud hen house
• Malware disguised as Tor browser steals $400k in cryptocash

"This could indicate Russian origins," the researchers wrote. "However the possibility of false flag operations cannot be ruled out at this point. … Since all the samples that Securonix Threat Research identified are fairly recent, it's clear that this campaign is still ongoing. Businesses and individuals should be extra vigilant when opening tax-related emails, especially as the tax deadline in the US approaches."

Tax season and scammers

Tax season in the US typically is a busy time for scammers, given the huge amounts of personal, financial, and corporate data being collected and sent around, the mounting pressure of approaching filing deadlines (this year's deadline is April 18), and the possibility of stealing tax refunds. In addition, more than 90 percent of tax returns are filed online, according to the IRS.

Most common are phishing campaigns or miscreants pretending to be IRS or other government personnel.

The IRS over the past several weeks has released a string of alerts warning taxpayers about scams – which the agency tags as "The Dirty Dozen" – and how to spot them. One from March 21 warned about text and email campaigns, including phishing and smishing (SMS texting) cons.

"Email and text scams are relentless, and scammers frequently use tax season as a way of tricking people," IRS Commissioner Danny Werfel said in a statement.

"With people anxious to receive the latest information about a refund or other tax issue, scammers will regularly pose as the IRS, a state tax agency or others in the tax industry in emails and texts. People should be incredibly wary about unexpected messages like this that can be a trap, especially during filing season." ®