Pierluigi Paganini
April 05, 2023
eFile.com, the personal online tax preparation and e-file service authorized by the US Internal Revenue Service (IRS), was spotted serving malware to visitors.
The service helps taxpayers to file tax returns, experts reported that eFile.com was first compromised in mid-March and was sanitized only this week.
A user on Reddit noticed that taxpayers attempting to load the website were redirected to a fake ‘network error’ page that instructed them to download a fake browser update (called “installer.exe” or “update.exe”) to correctly access the service.
“Any attempt to load the website www.efile.com appears to redirect to a fake “Network Error” page claiming that a “browser update” is required to access the site and providing a link to download an application called “installer.exe” or “update.exe,” depending on which browser is used.” explained the user on Reddit.
“I have attached screenshots of the error. Note that the lock icon in the address bar indicates the site is secure, contradicting the error message: “NET::ERR_SSL_VERSION_OR_CIPHER_MISMATCH” in the body of the page, and that clicking “Advanced” reveals further details that contain multiple misspellings, formatting, and grammatical errors. All of this suggests that the site is compromised and is being used to distribute malware.”
The expert Johannes Ullrich, from the SANS Internet Storm Center, explained that the malware served by the service was only detected by Crowdstrike and Cynet anti-malware solutions.
Ullrich noticed that eFile.com removed the malicious JavaScript code from the website on April 3, however, the attackers “reacted a bit faster and removed some of the additional malware” to cover their tracks.
“Depending on the browser, you may have received one of two binaries. “update.exe” or “installer.exe.” These binaries are quite different. I will focus on “update.exe” for two reasons: It was used for Chrome users, which is the vast majority compared to the other option, Firefox. Secondly, “update.exe” is written in Python, making it much easier to analyze.” wrote Ullrich.
The expert discovered that the attack involves two main executables, the “update.exe” which acts as a downloader for a PHP script communicating with the C2 server. The PHP script downloads and executes additional code.
“During the installation, basic system information is sent to the attacker, and the backdoor is made persistent via scheduled/on-boot registry entries.” added the expert.
The ‘update.exe’ is digitally signed with a valid certificate from Sichuan Niurui Science and Technology Co., Ltd.
Who is behind the attack?
There is no evidence that can allow identifying the attackers, but Ullrich noticed that part of the attack infrastructure is hosted with Alibaba.
“Some of the attack infrastructure is hosted with Alibaba in China, and some Chinese comments are in the code. So probably someone Chinese. The code is very cobbled together, and the clumsy inclusion of PHP points to a not-so-advanced, but maybe still persistent, threat actor.” concludes the expert.
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:
Please nominate Security Affairs as your favorite blog.
Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, eFile.com)
