Hackers target US taxpayers with NetWire and Remcos malware

Attackers are attempting to lure victims with malware-laced Word documents that purport to contain tax-related content

Security researchers have uncovered a new campaign targeting US taxpayers with malware-laced Microsoft Word documents that purport to contain tax-related content. 

The scam ultimately aims to install NetWire and Remcos, two powerful remote access trojans (RATs) that enable attackers to take control of the victims' machines in order to steal sensitive information. 

The scam could result in steep financial losses for taxpayers. Last year alone, the IRS identified more than $2.3 billion in tax fraud schemes.

According to a blog post by researchers at Cybereason, the new infection process is designed to evade antivirus tools and tricks targets into installing the malware via a tax-themed Word document containing a malicious macro that downloads an OpenVPN client on the targeted machine. 

The malware dropper establishes a connection to the legitimate cloud service “Imgur” and downloads the NetWire or Remcos payloads by way of a technique called steganography, where the malicious code is hidden within an innocuous-looking jpeg image file.

Researchers said that the malware includes a variety of functions including the remote execution of shell commands on the infected machine, browser credential and history theft, the downloading and execution of additional malware payloads, screen captures and keylogging, as well as file and system management capabilities.

Assaf Dahan, senior director and head of threat research at Cybereason, said that social engineering via phishing emails continues to be the preferred infection method among both cyber criminals and nation-state threat actors. 

“The potential for damage is serious and the malware allows threat actors to gain full control over a victim’s machine and steal sensitive information from users or their employers. In this research, we demonstrate how the attackers are leveraging the US tax season to infect targets at will,” he said 

“The use of various techniques such as steganography, storing payloads on legitimate cloud-based services, and exploiting DLL sideloading against a legitimate software makes these campaigns very difficult to detect. The sensitive information collected from the victims can be sold in the underground communities and used to carry out all manner of identity theft and financial fraud,” said Dahan.

Paul Bischoff, privacy advocate at Comparitech, told IT Pro that this attack is particularly clever because it gets its payload from an image stored on a popular and trusted site, Imgur, instead of trying to download from the hacker's server.

“The attack is easy to prevent with good digital hygiene. Never click on links or attachments in unsolicited emails. Always verify the sender before clicking a link or attachment. Be especially skeptical of MS Office documents and be sure that macros are disabled by default on your MS Office apps,” he said.

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Recommended

Education and government most at risk from email threats
phishing

Education and government most at risk from email threats

26 Nov 2021
Attackers use CSS to fool anti-phishing systems
phishing

Attackers use CSS to fool anti-phishing systems

11 Nov 2021
Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021

Most Popular

Business customers can get 30% off the Surface Laptop Go for Black Friday 2021
Laptops

Business customers can get 30% off the Surface Laptop Go for Black Friday 2021

26 Nov 2021
Nike to take customers into the metaverse with 'NIKELAND'
virtualisation

Nike to take customers into the metaverse with 'NIKELAND'

19 Nov 2021
Flaw in Android phones could let attackers eavesdrop on calls
Google Android

Flaw in Android phones could let attackers eavesdrop on calls

26 Nov 2021