Security researchers have uncovered a new campaign targeting US taxpayers with malware-laced Microsoft Word documents that purport to contain tax-related content.
The scam ultimately aims to install NetWire and Remcos, two powerful remote access trojans (RATs) that enable attackers to take control of the victims' machines in order to steal sensitive information.
The scam could result in steep financial losses for taxpayers. Last year alone, the IRS identified more than $2.3 billion in tax fraud schemes.
According to a blog post by researchers at Cybereason, the new infection process is designed to evade antivirus tools and tricks targets into installing the malware via a tax-themed Word document containing a malicious macro that downloads an OpenVPN client on the targeted machine.
The malware dropper establishes a connection to the legitimate cloud service “Imgur” and downloads the NetWire or Remcos payloads by way of a technique called steganography, where the malicious code is hidden within an innocuous-looking jpeg image file.
Researchers said that the malware includes a variety of functions including the remote execution of shell commands on the infected machine, browser credential and history theft, the downloading and execution of additional malware payloads, screen captures and keylogging, as well as file and system management capabilities.
Assaf Dahan, senior director and head of threat research at Cybereason, said that social engineering via phishing emails continues to be the preferred infection method among both cyber criminals and nation-state threat actors.
“The potential for damage is serious and the malware allows threat actors to gain full control over a victim’s machine and steal sensitive information from users or their employers. In this research, we demonstrate how the attackers are leveraging the US tax season to infect targets at will,” he said
“The use of various techniques such as steganography, storing payloads on legitimate cloud-based services, and exploiting DLL sideloading against a legitimate software makes these campaigns very difficult to detect. The sensitive information collected from the victims can be sold in the underground communities and used to carry out all manner of identity theft and financial fraud,” said Dahan.
Paul Bischoff, privacy advocate at Comparitech, told IT Pro that this attack is particularly clever because it gets its payload from an image stored on a popular and trusted site, Imgur, instead of trying to download from the hacker's server.
“The attack is easy to prevent with good digital hygiene. Never click on links or attachments in unsolicited emails. Always verify the sender before clicking a link or attachment. Be especially skeptical of MS Office documents and be sure that macros are disabled by default on your MS Office apps,” he said.
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job lossesNews With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
The FBI says hackers are using AI voice clones to impersonate US government officialsNews The campaign uses AI voice generation to send messages pretending to be from high-ranking figures
-
Employee phishing training is working – but don’t get complacentNews Educating staff on how to avoid phishing attacks can cut the rate by 80%
-
Russian hackers tried to lure diplomats with wine tasting – sound familiar? It’s an update to a previous campaign by the notorious Midnight Blizzard groupNews The Midnight Blizzard threat group has been targeting European diplomats with malicious emails offering an invite to wine tasting events, according to Check Point.
-
This hacker group is posing as IT helpdesk workers to target enterprises – and researchers warn its social engineering techniques are exceptionally hard to spotNews The Luna Moth hacker group is ramping up attacks on firms across a range of industries with its 'callback phishing' campaign, according to security researchers.
-
Hackers are using Zoom’s remote control feature to infect devices with malwareNews Security experts have issued an alert over a new social engineering campaign using Zoom’s remote control features to take over victim devices.
-
State-sponsored cyber groups are flocking to the 'ClickFix' social engineering techniqueNews State-sponsored hackers from North Korea, Iran, and Russia are exploiting the ‘ClickFix’ social engineering technique for the first time – and to great success.
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attackTroy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
-
LinkedIn has become a prime hunting ground for cyber criminals – here’s what you need to knowNews Cyber criminals are flocking to LinkedIn to conduct social engineering campaigns, research shows.
