Visitors of tax return e-file service may have downloaded malware
The IRS-authorized electronic filing service for tax returns, eFile.com, has been caught serving a couple of malicious JavaScript (JS) files these past few weeks, according to several security researchers and corroborated by BleepingComputer. Note this security incident only concerns eFile.com, not the IRS’ e-file infrastructure and other similar-sounding domains.
As of this writing, eFile.com is clean. Users can access it without worry.
The attack began 18 days ago
The incident first arose as a possibility that something might be up with the website. A Reddit user encountered a fake “Network Error” page when accessing www.efile.com. The page, as shown below, informed visitors their browser “uses an unsupported protocol,” and that they need to click the link it provided to them to update their browser—a known tactic often used by scammers.
This fake error message used to come up when visiting the domain. Uncharacteristically, it told visitors to update their browsers. This made Redditors suspect the domain was hijacked. (Source: /u/SaltyPotter, original image cropped to fit)
This, however, is no scam.
Known figures in cybersecurity, such as MalwareHunterTeam (@malwarehunterteam) and Johannes Ullrich (@johullrich) of SANS, caught wind of the potential site compromise and dug in, with each writing their analysis.
According to both MalwareHunterTeam and Ullrich, a malformed JS file named popper.js contains encrypted malicious code—meaning it cannot be read plainly. Its purpose is to load another JS script called update.js hosted on an Amazon Web Services (AWS) site. update.js contains code used to display the fake error page.
popper.js is a legitimate file modified to do malicious tasks. Because almost every page within the eForm website loads it, the malicious activities we mentioned are triggered every time a user visits any site page.
update.js also contains two hard-coded download URLs, both served on the malicious domain infoamanewonliag[.]online. The two payloads are for two specific browsers visitors typically use, Chrome and Firefox.
“So different browsers get different payloads,” says Ullrich. Chrome users get a payload named “update.exe” with a valid signature from Sichuan Niurui Science and Technology. Firefox users get “installer.exe.” There is no indication if browsers based on Chromium (where Chrome is based) or Quantum (where Firefox is based) could also receive the payloads.
BleepingComputer has independently confirmed the payloads connect to an IP address hosted by Alibaba in China. The same IP also hosts the illicit domain the payloads were downloaded from.
These executables were written in Python. Malwarebytes detects them as Trojan.Downloader.Python.
As of Wednesday, popper.js is free of malicious code.
The backdoor
Once users execute the payload, a PHP script runs quietly in the background. BleepingComputer’s analysis shows that every 10 seconds, the backdoor script connects to a remote command and control (C2) server to receive one or more tasks to perform on the affected system. These include “executing a command and sending its output back to the attackers or downloading additional files onto the computer.”
The backdoor is unsophisticated, but it’s enough to give attackers access to the entire system, including company-owned devices.
“The full scope of this incident, including if the attack successfully infected any eFile.com visitors and customers, remains yet to be learned,” says BleepingComputer.
Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.