Malicious code was injected into eFile.com's server, an online service that assists people with filing tax returns. This resulted in malware being delivered to users' computers.
It was discovered that the software service, which is authorized by the Internal Revenue Service (IRS), despite not being operated by its agent, was serving malware for several weeks before it was cleaned up earlier this week.
This is the official IRS format for filing tax documents online - or electronically - and usually without printing any documents. The IRS recommends this format for all federal tax filings. Even though external services can pose additional security risks, citizens can use software programs or websites to submit their tax returns.
US citizens' tax-filing deadline on April 18th is getting closer and closer. Cyber-criminals are exploiting the deadline to increase their malicious campaigns against tax-filing services and users to gain access to their private information. In recent weeks, the eFile.com online platform has become one of the most popular sites for filing tax returns. As such, it has again become a victim of tax-related cybercrime.
The security incident particularly affects eFile.com and not IRS' e-file infrastructure or domains with the same sounding name or similar sounding domains.
There is also additional JS code loaded from about amanewonliag dot online in addition to the base64 encoded script. If the user chooses to run the malware advertisement, they will be asked to download an executable file named "update.exe" or "installer.exe" depending on the browser they are using.
Upon further inspection, researchers found a PHP backdoor in the executable binaries. Backdoors of this kind are designed to connect with IP addresses located in Tokyo, such as 47.245.6.91 hosted by Alibaba Corporation. Similarly, when the malicious script popper.js pinged the infoamanewonliag domain, the same IP address hosted the infoamanewonliag domain.
In mid-March, a Reddit user initially reported that the eFile.com website had been compromised, with visitors being redirected to a fake 'network error' page as well as with a false browser update being served to them.
If the user clicks on the link for a browser update, they will be served either the update.exe file or the installer.exe file, depending on the operating system.
In a recent research paper published by the SANS Internet Storm Center, Johannes Ullrich pointed out that malicious files were being detected far less frequently than healthy files on VirusTotal.
Furthermore, he discovered that 'update.exe' was signed with a valid certificate emanating from a company named Sichuan Niurui Science and Technology Co., Ltd.
In a follow-up post, Ullrich explains that the analysis of update.exe shows it to be a Python downloader, which fetches a PHP script, that establishes communication with the command-and-control server, which is further used to send messages to the attacker.
Considering the analysis of a sample of the PHP script’s that was seen by MalwareHunterTeam, it was determined to be a backdoor malware. Threat actors can then access the device remotely through this method, allowing them to take control of it remotely.
PHP scripts are installed in the background during malware distribution.
The malware continually engages a remote command and control server that is controlled by threat actors every ten seconds to communicate with them. As soon as the malware receives a task to run on the device that is infected, it will begin working on it.
As a backdoor, the eFile backdoor offered the very basics of what malicious software would provide, but it was still dangerous enough to give cybercriminals full access to a Windows PC with the backdoor, giving them the leverage to attack other systems on a corporate network.
The company eFile.com is yet to explain what happened. LockBit ransomware has been linked to a cyber gang named OLOC that claims to have already attacked the website in January 2022.
According to the researcher, this malicious JavaScript code was also removed by eFile from the website on the 3rd of April. The attackers tried to eliminate the infection themselves before the incident, probably to cover up their tracks after the infection had been removed. There is apparent malicious code that has been injected into every page on eFile.com as a part of the malware attack.