Trojan malware campaign targets tax-filers with fake IRS documents

jRAT payload even contains the ability to hack infected machines and use them to take photos
Written by Danny Palmer, Senior Writer

Cybercriminals are trying to exploit the tax deadline to dupe victims.

Image: iStock

Cybercriminals are taking advantage of US taxpayers leaving it to the last minute to file their taxes: they're using the April 18 deadline as a cover to spread remote-access Trojan malware that can compromise victims' computers and the data stored on it.

Tax season is a prime time for cybercriminals attempting to steal financial information and personal data, especially when potential victims are concerned about money they either owe or are owed.

It's such a major problem that the IRS itself previously issued a warning that phishing scams were targeting US taxpayers. Now security researchers at Zscaler have noticed a surge in Java-based remote access Trojan variants (jRATs) being distributed in emails claiming to be from the IRS.

If successfully installed on the target system, these Trojans give criminals a backdoor into the network, allowing them to extract data ranging from financial and personal information to images and documents -- as well as giving them the ability to hijack a laptop's camera to take photos.

"The jRAT payload is capable of receiving commands from a C&C server, downloading and executing arbitrary payloads on the victim's machine. It also has the ability to spy on the victim by silently activating the camera and taking pictures," said Sammer Patil, security researcher at Zscaler.

The malware is delivered in emails claiming to contain important tax deadline information from the IRS and inviting the user to download attachments with names such as 'IRS Updates.jar' and 'Important_PDF.jar'.

The JAR file is a dropper which, if opened, runs the jRAT code, ultimately compromising the machine and the network it is on, using Trojan malware that creates an autostart registry to launch itself upon system reboot -- making it more persistent.

The malware itself connects to a hardcoded URL to download further instructions and malicious executable files. The linked website is known to security researchers as it has previously played host to the Loki information-stealing bot.

Ultimately, this surge in jRAT Trojans is just another instance of criminals attempting to jump on the bandwagon of current events to make a profit in the simplest way possible.

"Malware continues to draw in unsuspecting victims by using current issues and relevant events of the day to capture people's attention and interest. With one click, users can become victims, making themselves and their corporate networks vulnerable to attack by malicious payloads," said Patil.

While phishing emails are becoming increasingly sophisticated thanks to the use of advanced social engineering tactics, you can detect them if you know what to look for.

The most important information to remember when it comes to messages which claim to be from the IRS, HMRC, or any other tax body is that the tax collector will never ask for your bank account details or other personal data to be sent over email. If an email asks for that, it's a scam.


Editorial standards