The Timely Tale of Tax-related Threat Troubles
Tax season in the US and Canada has always been popular among cybercriminals. After all, it’s one of the few reliable times in a year that a lot of money gets thrown around online, due to the convenience of filing (and) paying taxes over the Internet. As such, we make it a point to look out for threats specifically targeting taxpayers before, during and after tax season and every year, we invariably find a lot of them. This year was no different, with the threats we spotted ranging from a Silverlight vulnerability exploit to UPATRE malware spam campaigns. We also found the usual spam and phishing threats that came out at the last minute, even after the deadline has passed.
Silverlight Vulnerability Exploit
The Silverlight exploit, as its name suggests, exploits the (MS13-022) Vulnerability in Silverlight Could Allow Remote Code Execution (2814124) vulnerability in Microsoft Silverlight to run malicious code on a system through a specially-crafted app. It should be noted that the said vulnerability is over a year old now. This exploit was found to be the end result of a series of URL redirections, stemming from a website that promised to teach the user how to avoid paying income tax in Canada.
Upon analysis, we found this particular malware (detected as TROJ_SHESDE.E), which uses the exploit, to be quite similar to the one we reported on last November. We also discovered that with this exploit, it sought to redirect users to malicious URLs, whereupon malware may have potentially been planted for automatic download upon the victim’s system. At around this time, we also spotted another malware that also exploited Silverlight in the same fashion, and we detected this as JS_SHESDE.E.
Tax-themed Spam Campaigns
The UPATRE malware spam campaign that we detected this tax season was no different from those we’ve discovered previously, besides the main body of its text urging its readers to open its malicious attachment in order to file their taxes.
Figure 1. Tax-related spam with TROJ_UPATRE attachment
The malicious attachment itself, detected as TROJ_UPATRE.YQU, connects to malicious URLs to download an encrypted version of a ZBOT variant (TSPY_ZBOT.YQU). As TSPY_ZBOT.YQU starts its info-stealing routines, it also drops a RTKT_NECURS variant, depending on whether the affected system is a 32-bit or 64-bit environment. Whichever variant it drops, the outcome is the same—it disables the AV products installed in the system as well as protect the dropped ZBOT variant from detection and removal.
Besides this, we also spotted similar spammed mail, also sporting a UPATRE variant, at around the tail end of the tax season—specifically around April 15, which was of course the deadline for all tax filing. And even after this, we still saw tax-related spam and phishing scams—most likely a ploy of cybercriminals to take advantage of those in a rush to beat the deadline.
Seasonal threats will always be around, but thankfully it’s easy to avoid becoming a victim to them. It’s a good idea to keep all the software in your system updated and patched to their most recent versions. Spammed mails, no matter the subject or content, should always be deleted without being opened if the sender is unfamiliar or suspiciously different than accustomed to.
Trend Micro customers are protected from these threats, as they have all been blocked upon detection.
With additional analysis from Alvin Nieto, Ardin Maglalang, Joseph C Chen, Lala Manly, Maersk Menrige and Mark Tang