Hackers target US taxpayers with NetWire and Remcos malware

Attackers are attempting to lure victims with malware-laced Word documents that purport to contain tax-related content

Malware in code

Security researchers have uncovered a new campaign targeting US taxpayers with malware-laced Microsoft Word documents that purport to contain tax-related content. 

The scam ultimately aims to install NetWire and Remcos, two powerful remote access trojans (RATs) that enable attackers to take control of the victims' machines in order to steal sensitive information. 

The scam could result in steep financial losses for taxpayers. Last year alone, the IRS identified more than $2.3 billion in tax fraud schemes.

According to a blog post by researchers at Cybereason, the new infection process is designed to evade antivirus tools and tricks targets into installing the malware via a tax-themed Word document containing a malicious macro that downloads an OpenVPN client on the targeted machine. 

The malware dropper establishes a connection to the legitimate cloud service “Imgur” and downloads the NetWire or Remcos payloads by way of a technique called steganography, where the malicious code is hidden within an innocuous-looking jpeg image file.

Researchers said that the malware includes a variety of functions including the remote execution of shell commands on the infected machine, browser credential and history theft, the downloading and execution of additional malware payloads, screen captures and keylogging, as well as file and system management capabilities.

Assaf Dahan, senior director and head of threat research at Cybereason, said that social engineering via phishing emails continues to be the preferred infection method among both cyber criminals and nation-state threat actors. 

“The potential for damage is serious and the malware allows threat actors to gain full control over a victim’s machine and steal sensitive information from users or their employers. In this research, we demonstrate how the attackers are leveraging the US tax season to infect targets at will,” he said 

“The use of various techniques such as steganography, storing payloads on legitimate cloud-based services, and exploiting DLL sideloading against a legitimate software makes these campaigns very difficult to detect. The sensitive information collected from the victims can be sold in the underground communities and used to carry out all manner of identity theft and financial fraud,” said Dahan.

Paul Bischoff, privacy advocate at Comparitech, told IT Pro that this attack is particularly clever because it gets its payload from an image stored on a popular and trusted site, Imgur, instead of trying to download from the hacker's server.

“The attack is easy to prevent with good digital hygiene. Never click on links or attachments in unsolicited emails. Always verify the sender before clicking a link or attachment. Be especially skeptical of MS Office documents and be sure that macros are disabled by default on your MS Office apps,” he said.

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

Russia launched over a million cyber attacks in three months
hacking

Russia launched over a million cyber attacks in three months

13 Apr 2021
Hackers leak data from dark web marketplace
cyber security

Hackers leak data from dark web marketplace

9 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021
Hackers sell $38 million in gift cards on Russian marketplace
hacking

Hackers sell $38 million in gift cards on Russian marketplace

7 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021