RAT Targets US Taxpayers – Experts Insight

By   ISBuzz Team
Writer , Information Security Buzz | Mar 19, 2021 03:10 am PST

Cybereason published Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware, an ongoing phishing campaign attempting to take over computers using malware to steal sensitive personal and financial information. 

Notify of
6 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Lewis Jones
Lewis Jones , Threat Intelligence Analyst
March 19, 2021 11:20 am

<p>Threat actors are clearly seizing the opportunity to target taxpayers who will be rushing to complete tax returns making them more susceptible to slipping up and falling for the phishing attack. In this case, the attackers are seeking out sensitive data which can be used in an impersonation scam or sold as part of a credential sale. The attackers are delivering the Phishing email with the Remcos and NetWire remote access trojans, which could grant them full access and control over the victims’ machines.</p> <p> </p> <p>The attackers have attempted to stay hidden by using various techniques such as steganography and exploiting DLL sideloading against legitimate software to avoid detection. The use of both Remcos and NetWire remote access trojans is common, mainly due to its effectiveness and low cost with a subscription to the services starting from only $10 per subscription.</p> <p> </p> <p>Phishing continues to be the go-to choice for threat actors looking to infiltrate a network, with a significant increase in attacks over the past 12 months. Many threat actors are carrying out reconnaissance prior to attacks in an attempt to make the phishing attacks appear legitimate using a topic to provoke a response. The use of social engineering to lure in victims is an increasing tactic by threat actors which stresses the importance of not oversharing sensitive information online.</p> <p> </p> <p>Users should stay vigilant to phishing attacks and follow these simple steps:</p> <p>- Think before you click</p> <p>- Keep software &amp; anti-virus up to date</p> <p>- Never give out personal information</p> <p>- Verify a site’s security</p> <p>- Do not open or download an attachment you are not expecting without caution.</p>

Last edited 3 years ago by Lewis Jones
Hank Schless
Hank Schless , Senior Manager, Security Solutions
March 19, 2021 11:18 am

<p>This attack is the perfect example of how attackers leverage deadline-driven events like Tax Day to pressure individuals into taking action. Since the target only has to open the malicious Word document to execute the hidden macro and download the OpenVPN client, an attacker could use basic social engineering such as posing as a member of the Accounting department or IRS to successfully carry out the attack.  </p> <p> </p> <p>Since tax forms have so much sensitive personal information on them, attackers can create high-pressure situations that get people to be less cautious. While this variant is PC-focused, NetWire also has a strong Android malware component that Lookout researchers have been tracking and protecting mobile users against since 2017.  </p> <p> </p> <p>Researchers posit that NetWire was likely first created by the Chinese hacking group Winnti Group and sold through the front company World Wired Labs. Both the desktop and mobile versions of NetWire have been sold and used by hacking groups around the globe. NetWire’s Android RAT bears many similarities to PWNDROID4, Android malware created by Winnti in 2015.  </p> <p> </p> <p>Lookout researchers have observed active Netwire Android campaigns being conducted by Chinese and Middle Eastern APTs, as well as cybercriminals. Lookout researchers discovered that the malware family was present on devices across the United States, Middle East, and Europe. Attacks like this could be adjusted to target mobile users, especially if the malware family has a known Android or iOS component.  </p> <p> </p> <p>We frequently see malicious campaigns that target both mobile and PC users because it expands the likelihood of success on the part of the attacker. A campaign like this one that leverages a malicious attachment to kick off the attack chain could easily be delivered through email, SMS, or third-party messaging platforms.  </p> <p> </p> <p>There are plenty of VPN apps that could be automatically downloaded to the mobile device and open a connection to malicious command and control (C2) servers in the exact same way this campaign is doing for PCs.   </p> <p> </p> <p>This incident highlights the importance of securing both the endpoints accessing your cloud infrastructure as well as their connection to your cloud resources. As malware campaigns become more complex, an endpoint-to-cloud security approach will ensure a strong security posture. Cloud based security with a Zero Trust Network Architecture (ZTNA) will ensure only healthy mobile devices and laptops safely access corporate infrastructure.</p>

Last edited 3 years ago by Hank Schless
Javvad Malik
Javvad Malik , Security Awareness Advocate
March 19, 2021 11:16 am

<p>As tax season approaches, criminals know that it is a ripe opportunity to take advantage of organisations of all sizes looking to submit their tax filings. </p> <p> </p> <p>This is not a new avenue, but it is increasing in popularity. In 2017, the NotPetya attack was spread as a result of Ukrainian accounting software being infected. </p> <p> </p> <p>It\’s a good reminder that organisations need to invest in effective security measures to prevent these attacks from being successful. These include the likes of endpoint protection, monitoring controls, good credential management including multi-factor authentication, as well as providing adequate security awareness and training to staff. This is particularly important with relation to staff that are responsible for accounts or any financial responsibilities to be vigilant against malware and social engineering attacks.</p>

Last edited 3 years ago by Javvad Malik
Jorge Orchilles
March 19, 2021 11:15 am

<p>We have invested heavily in preventing malware from running in out environments and that is clearly not working as advertised. Organizations need to operate in “assumed breach mode”, where they know they will eventually be compromised. How they detect and respond to the inevitable is what is differentiating victims. We need to work together to improve people, process, and technology.</p> <p> </p> <p>All users must remain cautious and vigilant to all types of scams, from emails to text messages and phone calls. Scammers will use any current event to take advantage of the most vulnerable to make a quick profit. It is unfortunate but that is the online world we live in today.</p>

Last edited 3 years ago by Jorge Orchilles
Brad Keller
Brad Keller , JD, CTPRP, CTPRA, Chief Strategy Officer
March 19, 2021 11:14 am

<p>Phishing continues to be a major threat because it remains a very successful method for obtaining credentials and other information directly from a user’s system. Having run the anti-phishing programs at two major <span class=\"il\">US</span> financial institutions I understand how difficult it is to create meaningful employee awareness and training to identify phishing emails. Taking those awareness programs to customers is an even more daunting task.</p> <p> </p> <p>While most major companies have initiated robust anti-phishing programs, smaller companies do not have the resources to develop and maintain these initiatives making them ideal <span class=\"il\">targets</span> for phishing campaigns. Most individuals are unaware of phishing methods and are not able to identify them, unless they work for a company that provides robust anti-phishing training.</p>

Last edited 3 years ago by Brad Keller

Recent Posts

Would love your thoughts, please comment.x