"Tax Return Filing Service eFile.com Caught Serving Malware"

eFile[.]com, an online service that helps individuals file tax returns, was recently injected with malicious code that led to malware being delivered to visitors.  The software service, which is authorized by the Internal Revenue Service (IRS), albeit not operated by the agency, was seen serving malware for several weeks until it was cleaned up earlier this week.  The compromise was initially observed in mid-March when a user posted on Reddit the first details of the issue: visitors were redirected to a fake "network error" page and were served a fake browser update.  When clicking on the "browser update" link, users were served one of two executables, named "update.exe" and "installer.exe." On Monday, Johannes Ullrich of the SANS Internet Storm Center revealed that the malicious files had very low detection rates on VirusTotal.  He also discovered that "update.exe" was signed with a valid certificate from Sichuan Niurui Science and Technology Co., Ltd.  Ullrich stated that the analysis of update.exe shows that it is a downloader written in Python, designed to fetch a PHP script that establishes communication with the command-and-control (C&C) server.  Its primary function is to download and execute additional code.  During the installation, basic system information is sent to the attacker, and the backdoor is made persistent via scheduled/on-boot registry entries.  Ullrich noted that the backdoor, implemented in PHP, was designed to connect to a URL every 10 seconds and execute any commands it may receive from the attacker.  It would also send back the output of the received commands.  The backdoor, Ullrich says, supports three tasks, namely code execution, file download, and execution scheduling.  However, the last task does not appear to be completely implemented.  Ullrich stated that some of the attack infrastructure is hosted with Alibaba in China, and some Chinese comments are in the code.  So the attacker is probably someone that is Chinese.  Ullrich noted that "the code is very cobbled together, and the clumsy inclusion of PHP points to a not-so-advanced, but maybe still persistent, threat actor." eFile removed the malicious JavaScript code from the website on April 3, but not before the attackers themselves attempted to remove the infection, likely to cover their tracks.  The malicious code was apparently injected on every page on eFile[.]com.

SecurityWeek reports: "Tax Return Filing Service eFile.com Caught Serving Malware"