Hackers Infect eFile Tax Filing Service with Malware

eFile tax return service

The eFile service, used by many Americans to file their tax returns and authorized by the US Internal Revenue Service (IRS), has been distributing malware for several weeks.

Let me remind you that we also reported that Russian-Speaking Hack Group Winter Vivern Attacks Governments in Europe and Asia, and also that Google Report Companies Creating Mobile Spyware for Governments.

The media also wrote that Chinese hackers use a new backdoor to spy on the country’s government from Southeast Asia.

eFile.com was first compromised in mid-March 2023 when a user reported on Reddit that site visitors were being redirected to a fake error page where victims were told they needed a browser update.

eFile tax return service
Fake connection error message that offers to update the browser

When clicking on the “update browser” link, users were presented with one of two executable files (update.exe and installer.exe).

According to Bleeping Computer, the JavaScript file popper.js was injected into eFile.com for this attack. The base64 code highlighted in the screenshot below tries to load JavaScript from infoamanewonliag[.]online. Moreover, popper.js was loaded on almost any eFile.com page, at least until April 1, 2023.

eFile tax return service

The researchers also found a update.js file associated with this attack. It was he who was responsible for the fake error message that users saw.

eFile tax return service

The above update.exe and installer.exe files are connected to the Tokyo IP address hosted by Alibaba. The same IP address hosts the infoamanewonliag[.]online domain also mentioned above.

Experts from the MalwareHunterTeam examined the files and stated that they contain Windows malware written in PHP. SANS Internet Storm Center specialists also presented their own analysis, who emphasize that malware is poorly detected by antivirus products, and the update.exe file is completely signed by a valid certificate from Sichuan Niurui Science and Technology Co., Ltd.

Johannes Ullrich
Johannes Ullrich

SANS expert Johannes Ullrich explains that update.exe is written in Python and serves as a loader for a PHP script that communicates with the attackers’ command and control server.

Its main function is to download and execute additional code as instructed. During installation, basic system information is passed to the attacker, and the backdoor is fixed in the system using scheduled tasks and on-boot registry entries.

In fact, this PHP backdoor connects to the given URL every 10 seconds and executes any commands it receives from its operators. The backdoor, according to Ulrich, supports three tasks: code execution, file uploads, and execution schedule. Although this is only a basic backdoor, its functions are enough to give the hacker full access to the infected device and initial access to the corporate network for further attacks.

eFile tax return service
Backdoor code snippet

The full extent of this incident remains to be seen, as it is unclear how successful the attack was and how many eFile.com visitors and customers were affected.

Currently, eFile specialists noticed the problem and removed the malicious JavaScript from their site, but before that, the attackers themselves realized that they had discovered them and tried to “clean up” the site, probably trying to cover their tracks.

Hackers Infect eFile Tax Filing Service with Malware

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

View all of Vladimir Krasnogolovy's posts.

Leave a comment

Your email address will not be published. Required fields are marked *