Cybercriminals are taking advantage of US taxpayers leaving it to the last minute to file their taxes: they're using the April 18 deadline as a cover to spread remote-access Trojan malware that can compromise victims' computers and the data stored on it.
If successfully installed on the target system, these Trojans give criminals a backdoor into the network, allowing them to extract data ranging from financial and personal information to images and documents -- as well as giving them the ability to hijack a laptop's camera to take photos.
"The jRAT payload is capable of receiving commands from a C&C server, downloading and executing arbitrary payloads on the victim's machine. It also has the ability to spy on the victim by silently activating the camera and taking pictures," said Sammer Patil, security researcher at Zscaler.
The malware is delivered in emails claiming to contain important tax deadline information from the IRS and inviting the user to download attachments with names such as 'IRS Updates.jar' and 'Important_PDF.jar'.
The JAR file is a dropper which, if opened, runs the jRAT code, ultimately compromising the machine and the network it is on, using Trojan malware that creates an autostart registry to launch itself upon system reboot -- making it more persistent.
The malware itself connects to a hardcoded URL to download further instructions and malicious executable files. The linked website is known to security researchers as it has previously played host to the Loki information-stealing bot.
Ultimately, this surge in jRAT Trojans is just another instance of criminals attempting to jump on the bandwagon of current events to make a profit in the simplest way possible.
"Malware continues to draw in unsuspecting victims by using current issues and relevant events of the day to capture people's attention and interest. With one click, users can become victims, making themselves and their corporate networks vulnerable to attack by malicious payloads," said Patil.
The most important information to remember when it comes to messages which claim to be from the IRS, HMRC, or any other tax body is that the tax collector will never ask for your bank account details or other personal data to be sent over email. If an email asks for that, it's a scam.