Cybercriminals Spoof Major Accounting and Payroll Firms in Tax Season Malware Campaigns

It’s tax season in the U.S., which means one thing for cybercriminals: opportunity. While the deadline for filing is April 15, tax season stretches on for months beforehand, starting from the time businesses prepare employee payroll information such as W-2 forms. This gives cybercriminals plenty of time to launch campaigns in the hopes of ensnaring individuals and businesses in their various tax fraud, financial fraud and identity theft schemes.

IBM X-Force researchers recently scoured our spam traps for tax-themed malware spam campaigns to see what criminal gangs are up to this year, and we were not surprised to find several ongoing tax-themed campaigns. Three spam campaigns caught our attention because they were likely directed at businesses, with the potential to impact consumers as well. These campaigns attempted to deceive recipients into believing they were emailed by large accounting, tax and payroll services firms and carried malicious Microsoft Excel attachments with a payload familiar to us as one of the most common and effective banking Trojans: TrickBot.

TrickBot is financial malware that silently infects devices for the primary purpose of stealing valuable data such as banking credentials, and then follows up with wire fraud from the device owner’s account. If your computer is infected with TrickBot, the cybercriminals operating it have complete control and can do just about anything they wish on your device, including spreading to other computers on your network and emptying your company’s bank accounts, potentially costing millions of dollars.

We will dive deeper into TrickBot’s tactics, techniques and procedures (TTPs) below. But first, let’s look more closely at three spam campaigns that delivered TrickBot, which were the top tax-themed malware campaigns we’ve seen this year by spam volume.

Examination of Tax-Themed Spam Campaigns

The first thing to note about the tax-themed spam we have been seeing in the wild is that the campaigns spoofed (i.e., deceptively imitated) three of the biggest accounting firms, human resources services and payroll companies operating in the U.S. The spoofed companies included Paychex, a well-known payroll payments provider, and the HR management and services firm ADP, which published its own security alert on March 5, 2019, warning customers of the same malicious spam campaign.

The size of the spoofed firms suggests the criminals are likely to have some success in snagging individual users and businesses that are customers of these well-known companies. Recipients are more likely to expect an email about taxes from their service provider, so attackers can be much more successful if they spoof the names and email addresses of trusted HR services and accounting companies to deliver malware right around tax season.

It can often be difficult to assess the intended targets of banking Trojan campaigns and whether they target business or personal email accounts. Having looked at recipient domain names in our spam traps, we can assess that the campaigns target both business and personal email addresses. In TrickBot’s case, it would be safe to assume that businesses are being targeted for their bank accounts, and personal accounts are more likely to be used as money mules to siphon and redirect stolen funds through compromised users.

The second thing to note is that the spam emails appear to be related to one another and were clearly created by professionals, most likely associated with the TrickBot gang. The spam samples, which we dissect below, were more sophisticated than we typically see in other high-volume campaigns. Usually, tax campaigns consist of plain, poorly crafted emails asking recipients to open a malicious attachment. The sending address is commonly a free webmail address, and the message gives away the game with obvious clues that it is likely malspam.

In the TrickBot-delivering campaigns, however, attackers took extra steps to improve their deception techniques, from the way they crafted the messages to the brands they chose to impersonate. If you receive an email saying it is from a person or company you know and trust, you’re naturally less suspicious and may not look for other clues that it could be a malicious message. This is the moment every attacker is looking for: when the recipient’s guard lowers enough to make them open the attachment and even click to enable macros.

Once TrickBot is installed on a potentially vulnerable device and can reach other devices on the network, it can further spread and pivot. Finding only one unaware person in an organization is usually enough for attackers to get their foot in the door.

Campaign Timeline

Looking at the campaign timeline, our team was able to see that it has been active for a while, allowing attackers to cover a longer period when tax season is a relevant theme.

The first sample was received on Jan. 27, 2019, spoofing a large accounting firm.

Chart showing timeline of tax spam sample on Jan. 27, 2019

Chart showing timeline of tax spam sample on Jan. 27, 2019

Subsequent campaigns were spotted on March 3, 2019, spoofing ADP.

Chart showing timeline of ADP spam sent March 3, 2019

Chart showing timeline of ADP spam sent March 3, 2019

On March 7, 2019, a campaign emerged spoofing Paychex.

Chart showing timeline of Paychex spam sent March 7, 2019

Chart showing timeline of Paychex spam sent March 7, 2019

The bulk of the emails were received between 11:45 a.m. and 3:45 p.m. Eastern Standard Time (EST). In other words, these spam messages were sent during working hours for U.S. companies. All three email samples are written in English, adding evidence that the intended targets were located in the U.S. and other English-speaking countries, where there is a high likelihood of reaching customers of the three spoofed companies.

The “from” field of each email was spoofed using typosquatting to bolster the appearance that the emails are from the firms they purport to come from. None of the fake domains exist, nor were they registered by the companies themselves.

The messages were quite simple, only claiming to contain an attachment of tax or billing records. Subject lines were similarly simple, all including the word “tax” and beginning with FW: or RE: to trick recipients into thinking the email was forwarded or in response to a previous message.

Examples from each campaign appear below.

Sample 1: Large Accounting Firm

Subject: FW: 2018 EF Tax Incentive Billing

Body: Please see the attached Tax incentive billing

Example tax-themed phishing message from large accounting firm

Sample 2: ADP

Subject: FW: CASE #90ADP28TEFT – tax billing records

Body: Hi there, I have attached tax billing records for current period.

Example tax-themed phishing message from ADP

Sample 3: Paychex

Subject: RE: Tax verification documents

Body: Hi there, As requested, I have attached the details for your consideration. Thanks!

Example tax-themed phishing message from Paychex

To reinforce the illusion of legitimacy, the signatures of each of the emails mimic typical business signatures, including a name, job title and contact details, as well as mock email footers that the cybercriminals may have copied from legitimate business emails. A simple email to the spoofed companies could result in a response containing the actual footers, which can be copied. For example:

  • “This message (including any attachments) contains confidential information…”

  • “Please consider the environment before printing.”

  • “How are we doing? Let my manager know!”

The goal, of course, is to make the emails look as genuine as possible to gain the victims’ trust. The odds of someone opening attachments or clicking links are higher if the message looks as official and trustworthy as possible.

TrickBot in Sheep’s Clothing

What would malspam be without the malicious attachment? Probably an ordinary spam or phishing email. To investigate these tax malspam messages, we first examined the attachment in the ADP sample. The file contained an Excel document with an embedded macro. The macro itself was highly obfuscated, which makes analysis a bit more difficult, but as far as we could deobfuscate the macro, five batch files were dropped and started once we ran it.

In the Paychex sample, we observed the same behavior, only swapping different filenames and URLs. The accounting firm sample, on the other hand, dropped only one file. In each case, the dropped files called to a similar range of IP addresses for the payload, which eventually fetched and executed the TrickBot Trojan.

Here it becomes clear that the overall process — the mail style, the behavior of the attachments, the construct of the malware URL, the way it hides the .exe file behind an unknown domain path — is the same for all samples. This is also a strong indicator that the same actors might be involved in all three campaigns.

The average user will probably not notice any infections by TrickBot directly. Network admins, however, may eventually see changes in traffic or attempts to connect to blacklisted IPs and domains when the malware tries to connect to its command-and-control (C&C) servers.

Meanwhile, TrickBot tries to steal as much data possible, typically focusing on stealing banking credentials from known banking websites, with the list of targeted banks changing regularly. The Trojan uses two techniques for stealing banking credentials: dynamic injection and redirection attacks. Dynamic injections are fetched in real time from the attack server instead of being written directly into a configuration file. Redirection attacks hijack the user to a page controlled by the attacker, a replica of the bank’s home page, tricking them into divulging their credentials and other authentication elements.

TrickBot is a highly sophisticated malware that can do plenty of damage beyond financial fraud. As X-Force researcher Limor Kessem noted in a recent investigation of organized cybercrime gangs, TrickBot, which ranked as the top financial malware of 2018, added new functions to the malware last year. On top of its existing capabilities, TrickBot can now steal remote desktop protocol (RDP) credentials, virtual network computing (VNC) credentials and PuTTY open-source terminal emulator credentials. TrickBot also steals Windows system reliability and performance data and features a new mechanism for storing its configuration and elliptic curve cryptography (ECC) public keys.

TrickBot’s operators have ample resources to develop the malware and are sure to have more tricks up their sleeve.

IoCs and Security Tips for Tax Season Malware

For more information on the TrickBot campaign’s indicators of compromise (IoCs), please visit X-Force Exchange.

Tips for IT Security Teams

  • Disable macros by default in Office documents.
  • Block all URL and IP-based IoCs at firewalls, intrusion detection systems (IDSs), web gateways, routers or other perimeter-based devices.
  • Use updated antivirus tools and make sure your current vendor has coverage for banking Trojans such as TrickBot.
  • Search for existing signs of the indicated IoCs in your environment and email systems.
  • Keep all critical and noncritical systems up to date and patched.
  • Report suspected tax scams to the IRS at [email protected] You can also file a complaint with the U.S. Federal Trade Commission (FTC).

Tips for Users

  • The U.S. Internal Revenue Service (IRS) communicates via snail mail only; it does not initiate contact with taxpayers by email, phone, text messages or social media channels to request personal or financial information. Do not respond to such requests.
  • Don’t open unsolicited emails, click on links within such emails or open attachments coming from unknown senders. Most malware-laden emails will ask users to enable macros. Avoid doing that.
  • Even in the case of known senders, be careful about opening email attachments, especially ZIP or RAR archives and Office documents. Ideally, verify with the sender before opening any attachments.
  • If you receive an email claiming to be from your payroll vendor and you’re not sure if you can trust it, try logging into the provider’s website directly or calling your representative to confirm its validity.

Tips for IBM Security Customers

  • The emails and malware described above are blocked by IBM Security filters. URLs and IPs in the emails are recognized by IBM Security as malicious.
  • IBM Security’s database of malicious activities is updated every five minutes.
  • Check X-Force Exchange regularly for information on new campaigns and learn more about the X-Force Exchange Commercial API.

Download the IBM X-Force Threat Intelligence Index Report/button]