Threat Research

Threat actors strive to cause Tax Day headaches | Microsoft Security Blog

Securonix

Threat actors targeted tax preparation and financial services firms with a Tax Day-themed phishing campaign delivering the Remcos remote access trojan (RAT), culminating in network access and lateral movement. The attackers use a chain that hides the lure behind legitimate services (AWStrack, Hightail), delivers LNK shortcuts, and relies on GuLoader to download Remcos while evading detection. #Remcos #GuLoader

Keypoints

  • The phishing campaign specifically targets tax-related firms and professionals as Tax Day approaches.
  • Lures impersonate tax documents from clients and use a legitimate click-tracking service to avoid detection.
  • The initial link redirects to a ZIP hosted on a legitimate file-sharing service, containing Windows shortcut (.LNK) files.
  • LNK files cause web requests to actor-controlled domains/IPs to download additional malicious payloads (MSI/DLLs, VBScript, PDFs).

MITRE Techniques

  • [T1566.002] Spearphishing Link – The campaign uses lures masquerading as tax documentation sent by a client, while the link in the email uses a legitimate click-tracking service to evade detection. “The target is then redirected to a legitimate file hosting site, where the actor has uploaded Windows shortcut (.LNK) files.”
  • [T1105] Ingress Tool Transfer – LNK files generate web requests to actor-controlled domains and/or IP addresses to download malicious files. “These LNK files generate web requests to actor-controlled domains and/or IP addresses to download malicious files.”
  • [T1059.001] PowerShell – VBScript files containing PowerShell commands are used as part of the payload execution chain. “VBScript files containing PowerShell commands.”
  • [T1059.005] Visual Basic – VBScript-based execution is employed to invoke PowerShell commands in the delivery chain. “VBScript files containing PowerShell commands.”
  • [T1027] Obfuscated/Compressed Files – The GuLoader downloader uses encryption and obfuscation to evade analysis and delivery of Remcos. “encryption and obfuscation of the GuLoader shellcode and payloads.”
  • [T1219] Remote Access Software – Remcos, which stands for “Remote Control and Surveillance”, is a closed-source tool that allows threat actors to gain administrator privileges on Windows systems remotely. “Remcos, which stands for “Remote Control and Surveillance”, is a closed-source tool that allows threat actors to gain administrator privileges on Windows systems remotely.”

Indicators of Compromise

  • [Domain] context – uymm.org, awstrack.me, and spaces.hightail.com
  • [URL] context – https://uymm.org/roman.msi
  • [SHA-256] context – 23597910ec60cf8b97144447c5cddd2e657d09e2f2008d53a3834b6058f36a41, 95a2d34db66ce4507d05ac33bea3bdc054860d9d97e91bdc2ce7ce689ae06e9f, and 1 more hash

Read more: https://www.microsoft.com/en-us/security/blog/2023/04/13/threat-actors-strive-to-cause-tax-day-headaches/