As the US tax season draws to a close, accountants are struggling to complete and file their clients’ tax returns on time.
Unfortunately, this has provided an opportunity for attackers to launch phishing campaigns aimed at infiltrating corporate networks and stealing sensitive information from taxpayers and financial companies.
Microsoft Threat Intelligence has issued a warning about a new phishing campaign that uses remote desktop malware to gain access to victims’ networks. The attackers send emails containing infected files, hoping that exhausted tax preparers and their clients will unwittingly download and open them.
The phishing emails often contain a message similar to:
“Our individual tax filings shouldn’t take up much of your time, so I apologize for not getting back to you sooner. I’m going to presume you want a copy of everything we’ve had for the last year. Password-protected cloud storage is used for all PDF documents.”
How does it happen?
Once the infected file is downloaded and activated, the malware starts PowerShell to obtain an encrypted VBS script from a remote host, saves it to C:WindowsTasks, and runs it. To avoid raising suspicion, the PDF bait is opened simultaneously through Microsoft Edge. Microsoft experts warn that the GuLoader malware is downloaded and installed on the host when VBS scripts are triggered using PowerShell. The Remcos remote access Trojan is then downloaded onto the compromised device.
How to protect yourself?
The hackers’ primary targets are businesses and individuals in the accounting, tax planning, and financial sectors. To protect yourself from this type of attack, it is important to always pay close attention to the files included in emails. Be cautious about opening attachments from unknown sources and always check the file size and extension to ensure they are legitimate. Enabling the display of hidden Windows files can help detect malicious shortcuts disguised as PDF files. Additionally, it’s recommended to enable the display of file extensions to ensure they are legitimate.