Microsoft: Phishing attack targets accountants as Tax Day approaches

Microsoft is warning of a phishing campaign targeting accounting firms and tax preparers with remote access malware allowing initial access to corporate networks.

With the USA reaching the end of its annual tax season, accountants are scrambling to gather clients’ tax documents to complete and file their tax returns.

Due to this, it makes it an ideal time for threat actors to target tax preparers, hoping that they mistakenly open malicious files that they would generally be more careful with when less busy.

This is exactly what Microsoft sees in a new phishing scam targeting tax professionals to install the Remcos remote access trojan malware.

“With U.S. Tax Day approaching, Microsoft has observed phishing attacks targeting accounting and tax return preparation firms to deliver the Remcos remote access trojan (RAT) and compromise target networks beginning in February of this year,” Microsoft warns in a new report.

Targeting tax professionals

The phishing campaign starts with emails that pretend to be clients sending the necessary documents to complete their return.

“I apologize not responding sooner; our individual tax return should be simple and not require much of your time,” reads a phishing email seen by Microsoft.

“I believe you would require a copy of our most recent year’s documents, such as W-2s, 1099s, mortages, interest, donations, medical investments, HSAs, and so on which I have uploaded below.”

Phishing email sent to tax preparers

These phishing emails contain links that utilize click-tracking services to evade detection by security software, and ultimately lead to a file hosting site that downloads a ZIP archive.

This ZIP archive contains numerous files pretending to be PDF files for various tax forms but are actually Windows shortcuts.

Archive containing Windows shortcuts disguised as 2021 tax forms

When double-clicked, these Windows shortcuts will execute PowerShell to download a heavily obfuscated VBS file from a remote host, which is saved to C:\Windows\Tasks\ and executed.

At the same time, the VBS script will download a decoy PDF file and open it in Microsoft Edge to avoid arousing suspicion by the targeted person.

Microsoft says that these VBS files will download and execute the GuLoader malware, which in turn, installs the Remcos remote access trojan.

Attack flow of phishing campaign

Remcos is a remote access trojan that threat actors commonly use in phishing campaigns to gain initial access to corporate networks.

Using this access, the threat actors can spread further through the network, stealing data and deploying other malware on a device.

Microsoft says that while phishing campaigns commonly use tax-related themes, this campaign is unusual as its only targets tax preparation firms and individuals.

“While social engineering lures like this one are common around Tax Day and other big topic current events, these campaigns are specific and targeted in a way that is uncommon.”

“The targets for this threat are exclusively organizations that deal with tax preparation, financial services, CPA and accounting firms, and professional service firms dealing in bookkeeping and tax.”

As accountants hold highly sensitive data for individuals and corporations, a data breach in this type of organization could significantly harm a large group of people.

As the initial loaders for the malware in this campaign are malicious files impersonating PDF files, we always recommend that users enable the display of file extensions in Windows so they can identify suspicious files.

Unfortunately, Windows shortcuts are a special file type that uses the .lnk file extension but does not show the file extension when displayed in File Explorer.

This behavior makes detecting that a file is a shortcut in disguise more difficult. However, listing files in File Explorer in ‘Details’ mode will show that it is Windows Shortcut, making it a bit easier to spot.

Ultimately, no one should click on links in emails or open attachments unless they confirm if they are sent from a legitimate contact. Otherwise, delete the email.

Leave a Comment

Your email address will not be published. Required fields are marked *