IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hackers target US taxpayers with NetWire and Remcos malware

Attackers are attempting to lure victims with malware-laced Word documents that purport to contain tax-related content

Security researchers have uncovered a new campaign targeting US taxpayers with malware-laced Microsoft Word documents that purport to contain tax-related content. 

The scam ultimately aims to install NetWire and Remcos, two powerful remote access trojans (RATs) that enable attackers to take control of the victims' machines in order to steal sensitive information. 

The scam could result in steep financial losses for taxpayers. Last year alone, the IRS identified more than $2.3 billion in tax fraud schemes.

According to a blog post by researchers at Cybereason, the new infection process is designed to evade antivirus tools and tricks targets into installing the malware via a tax-themed Word document containing a malicious macro that downloads an OpenVPN client on the targeted machine. 

The malware dropper establishes a connection to the legitimate cloud service “Imgur” and downloads the NetWire or Remcos payloads by way of a technique called steganography, where the malicious code is hidden within an innocuous-looking jpeg image file.

Researchers said that the malware includes a variety of functions including the remote execution of shell commands on the infected machine, browser credential and history theft, the downloading and execution of additional malware payloads, screen captures and keylogging, as well as file and system management capabilities.

Assaf Dahan, senior director and head of threat research at Cybereason, said that social engineering via phishing emails continues to be the preferred infection method among both cyber criminals and nation-state threat actors. 

“The potential for damage is serious and the malware allows threat actors to gain full control over a victim’s machine and steal sensitive information from users or their employers. In this research, we demonstrate how the attackers are leveraging the US tax season to infect targets at will,” he said 

“The use of various techniques such as steganography, storing payloads on legitimate cloud-based services, and exploiting DLL sideloading against a legitimate software makes these campaigns very difficult to detect. The sensitive information collected from the victims can be sold in the underground communities and used to carry out all manner of identity theft and financial fraud,” said Dahan.

Paul Bischoff, privacy advocate at Comparitech, told IT Pro that this attack is particularly clever because it gets its payload from an image stored on a popular and trusted site, Imgur, instead of trying to download from the hacker's server.

“The attack is easy to prevent with good digital hygiene. Never click on links or attachments in unsolicited emails. Always verify the sender before clicking a link or attachment. Be especially skeptical of MS Office documents and be sure that macros are disabled by default on your MS Office apps,” he said.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Education and government most at risk from email threats
phishing

Education and government most at risk from email threats

26 Nov 2021
Attackers use CSS to fool anti-phishing systems
phishing

Attackers use CSS to fool anti-phishing systems

11 Nov 2021
Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021

Most Popular

Open source packages with millions of installs hacked to harvest AWS credentials
hacking

Open source packages with millions of installs hacked to harvest AWS credentials

24 May 2022
Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022