US taxpayers targeted in NetWire, Remcos Trojan attack wave

Researchers have analyzed an active campaign targeting US taxpayers in order to spread both NetWire and Remcos Trojans. 

The tax season is now upon us and as US residents file their returns ahead of a deadline in April, this is also a prime time for cybercriminals to launch campaigns tailored to take advantage of the annual requirement. 

Phishing campaigns, unless they are nothing more than mass spray-and-pray attempts, will usually hook on a particular theme or situation to try and elicit enough of a reaction to fool a victim into clicking a malicious link or downloading a malware-laden attachment. 

Examples include a 'fraud' alert from a bank, demands for student loan repayments, fake criminal investigations by the IRS, or notices from legitimate companies such as PayPal warning of unauthorized transactions. 

When it comes to tax season, personal finance-themed phishing emails often include tax return-related content, and this is the hook that the active campaign's operators have chosen to use. 

According to research published by Cybereason on Thursday, the phishing messages come with documents attached that utilize malicious macros to deploy both NetWire and Remcos Remote Access Trojans (RATs). 

Phishing document samples revealed that once opened, the content will blur and victims are asked to enable macros and editing in order to view the text. If they accept, a "heavily obfuscated" macro drops a malicious .DLL payload -- a dropper for one of the two Trojans -- in the /temp directory. 

The .DLL is then injected into Notepad software and the infection chain continues with the decryption of payload data via an XOR key in order to free up executable code. A connection to a command-and-control (C2) server is established and the OpenVPN client is downloaded, together with a side-loaded trojanized .DLL to maintain remote persistence. 

This side-loaded .DLL is responsible for unpacking another .DLL, loaded into memory, and injecting it into Notepad. Another package is then pulled from the legitimate image hosting service imgur, and this package -- hidden within an image file in a technique known as steganography -- is one of either of the Trojans. 

Remcos and NetWire RAT functionality includes taking screenshots, keylogging, stealing browser logs and clipboard data, file harvesting, the theft of OS information, and the ability to download and execute additional malware. 

The RATs are both commercially available in underground forums and are offered on a cheap Malware-as-a-Service (MaaS) subscription basis, available for as little as $10 per subscription -- which keeps the potential criminal customer base of the Trojan variants large. 

"The use of various techniques such as steganography, storing payloads on legitimate cloud-based services, and exploiting DLL sideloading against a legitimate software makes these campaigns very difficult to detect," commented Assaf Dahan, Cybereason head of threat research. "The sensitive information collected from the victims can be sold in the underground communities and used to carry out all manner of identity theft and financial fraud."

Previous and related coverage

• Malicious apps on Google Play dropped banking Trojans on user devices
  
• Icon files abused in malspam to spread NanoCore Trojan
  
• 2020 was a 'record-breaking' year in US school hacks, security failures
  

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0