Trojan malware campaign targets tax-filers with fake IRS documents

jRAT payload even contains the ability to hack infected machines and use them to take photos

istock-taxes.jpgCybercriminals are trying to exploit the tax deadline in order to dupe victims.

Image: iStock




Cybercriminals are taking advantage of US tax payers leaving it to the last minute to file their taxes ahead of today's April 18 deadline to in order to spread remote access Trojan malware with the capable of stealthily compromising their computer and any data stored on it.

Tax season is a prime time for cybercriminals to attempt to steal financial information and personal data, especially when potential victims are concerned about money they either owe or are owed.

It's such a major problem that the IRS itself previously issued a warning that phishing scams were set to target US tax payers and now cybersecurity researchers at Zscaler have noticed a surge in Java-based remote access Trojan variants - jRATs - being distributed in emails which claim to be communications from the IRS.

If successfully installed on the target system, these Trojans give cybercriminals a backdoor into the network, allowing them to extract data ranging from financial and personal information, images and documents - and even ability to hijack a laptop camera to take photos.

"The jRAT payload is capable of receiving commands from a C&C server, downloading and executing arbitrary payloads on the victim's machine. It also has the ability to spy on the victim by silently activating the camera and taking pictures, said Sammer Patil, security researcher at Zscaler.

The malware is delivered in emails claiming to contain important tax deadline information from the IRS and inviting the user to download attachments with names such as "IRS Updates.jar" and "Important_PDF.jar".

The JAR file is a dropper which, if opened, runs the jRAT code, ultimately compromising the machine and the network it is on with Trojan malware which creates an autostart registry to launch itself upon system reboot in order to increase persistence.

The malware itself connects to to a hardcoded URL to download further instructions and malicious executable files. The linked website is known to cybersecurity researchers as it has previously played host to the Loki information-stealing bot.

Ultimately, this surge in jRAT Trojan is just another instance of cybercriminals attempting to jump on the bandwagon of current events in an effort to make a profit in the simplest way possible.

"Malware continues to draw in unsuspecting victims by using current issues and relevant events of the day to capture people's attention and interest. With one click, users can become victims, making themselves and their corporate networks vulnerable to attack by malicious payloads," says Patil.

While phishing emails are becoming increasingly sophisticated via the use of advanced social engineering tactics, you can detect them if you know what to look for.

The most important information to remember when it comes to messages which claim to be from the IRS, HMRC or any other tax body is that the tax collector will never ask for your bank account details or other personal data to be sent over email. If an email asks for that, it's a scam.

No Comments Yet.

Leave a comment

%d bloggers like this: