Hackers target US taxpayers with NetWire and Remcos malware

Security researchers have uncovered a new campaign targeting US taxpayers with malware-laced Microsoft Word documents that purport to contain tax-related content.

The scam ultimately aims to install NetWire and Remcos, two powerful remote access trojans (RATs) that enable attackers to take control of the victims' machines in order to steal sensitive information.

The scam could result in steep financial losses for taxpayers. Last year alone, the IRS identified more than $2.3 billion in tax fraud schemes.

According to a blog post by researchers at Cybereason, the new infection process is designed to evade antivirus tools and tricks targets into installing the malware via a tax-themed Word document containing a malicious macro that downloads an OpenVPN client on the targeted machine.

The malware dropper establishes a connection to the legitimate cloud service “Imgur” and downloads the NetWire or Remcos payloads by way of a technique called steganography, where the malicious code is hidden within an innocuous-looking jpeg image file.

Researchers said that the malware includes a variety of functions including the remote execution of shell commands on the infected machine, browser credential and history theft, the downloading and execution of additional malware payloads, screen captures and keylogging, as well as file and system management capabilities.

Assaf Dahan, senior director and head of threat research at Cybereason, said that social engineering via phishing emails continues to be the preferred infection method among both cyber criminals and nation-state threat actors.

“The potential for damage is serious and the malware allows threat actors to gain full control over a victim’s machine and steal sensitive information from users or their employers. In this research, we demonstrate how the attackers are leveraging the US tax season to infect targets at will,” he said

“The use of various techniques such as steganography, storing payloads on legitimate cloud-based services, and exploiting DLL sideloading against a legitimate software makes these campaigns very difficult to detect. The sensitive information collected from the victims can be sold in the underground communities and used to carry out all manner of identity theft and financial fraud,” said Dahan.

Paul Bischoff, privacy advocate at Comparitech, told IT Pro that this attack is particularly clever because it gets its payload from an image stored on a popular and trusted site, Imgur, instead of trying to download from the hacker's server.

“The attack is easy to prevent with good digital hygiene. Never click on links or attachments in unsolicited emails. Always verify the sender before clicking a link or attachment. Be especially skeptical of MS Office documents and be sure that macros are disabled by default on your MS Office apps,” he said.