Threat Research

RAT Campaign Looks to take Advantage of the Tax Season

Securonix

Threat actors run a tax-season phishing campaign impersonating the IRS to trick targets into downloading malware. The attack chain uses an IRS-themed lure, a captcha step, an XLL file, and a ZIP payload that installs Netsupport Manager as a remote access Trojan connecting to a threat actor C2. #NetsupportManager #IRSPhishing

Keypoints

  • The campaign spoofs the U.S. Internal Revenue Service (IRS) to download malware onto user systems.
  • The phishing email prompts recipients to click a button to fill out “Form 4721” and update assets for tax purposes.
  • Users are redirected to a captcha page, where they must enter a three-digit code to proceed.
  • An XLL file is downloaded, which then reaches out to a remote directory and triggers a ZIP download named “DROP.zip.”
  • The ZIP contains the Netsupport Manager payload, with client32.exe designed to run and establish remote access.
  • The infected host connects to a threat actor–owned C2 server via Netsupport Manager instead of a legitimate IT service.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Link – The campaign impersonates the IRS to lure victims into clicking a link. “The email prompts users to click on the button to fill out “Form 4721” and update their company’s assets for tax purposes.”
  • [T1204] User Execution – The user interacts with the phishing content and proceeds after clicking the link. “The email prompts users to click on the button to fill out …”
  • [T1105] Ingress Tool Transfer – An XLL file is downloaded and triggers a ZIP download to deliver the payload. “When “continue” is clicked, an XLL file is downloaded. … downloads a ZIP file named “DROP.zip.”
  • [T1071.001] Web Protocols – The payload connects to a threat actor–owned C2 server, using web channels for control. “a connection is established with a threat actor-owned command-and-control (C2) server.”
  • [T1219] Remote Access Tools – Netsupport Manager is used as a remote access Trojan to control compromised systems. “Netsupport Manager is an application typically used to give remote access to another machine.” and “remote access trojan (RAT) the threat actor employs.”

Indicators of Compromise

  • [URL] phishing infrastructure – hXXps://irsbusinessaudit[.]net/captcha.php, hXXps://irsbusinessaudit[.]net/DROP.ZIP, and 1 more item
  • [IP] involved addresses – 185.225.19.116, 45.76.172.113
  • [Domain] targeted domain – irsbusinessaudit[.]net
  • [File] downloaded payloads – DROP.ZIP, client32.exe

Read more: https://cofense.com/blog/rat-campaign-looks-to-take-advantage-of-the-tax-season