jRAT malware users targeted US taxpayers with fake IRS tax documents, and now the same trick is being used to infect UK users but with bogus VAT return forms, supposedly from Her Majesty's Revenue & Customs (HMRC).
jRAT or Java RAT is also known as Adwind, Jackbot and several others names, which are sold as a service with features such as keystroke logging, stealing data from web forms, taking screen shots, capturing content from a device's cam and mic, and more. One of its key selling points is that it can run on Windows, macOS, Linux, and Android. The malware is typically spread via mass email.
According to security firm Trustwave, the email campaign targeting British users comes with subject "VAT Return Query" and an embedded image of a PDF. The text suggests the recipient read the document to resolve errors in the attachment: there is no actual attachment and image of the PDF is actually used to conceal a link that points to a ZIP-archived file hosted on Microsoft's OneDrive, which if unzipped extracts the jRAT malware.
Trustwave notes the jRAT malware is popular with criminals because at $29 it's dirt cheap and offers a number configurations to block security products from detecting it. This example also disables the Windows Task Manager and System Restore, and creating a Windows registry.
The company notes it has seen an uptick in phishing campaigns that use Microsoft SharePoint and OneDrive.
"We assume that the scammers route their malware leveraging reputable cloud services like Microsoft to evade detection by various security defenses. Users need to be particularly careful since such scams are quite active during tax return season," it said.