Published on: April 7, 2023
While filing your taxes online can help make the whole process a lot easier, a threat actor has been using eFile, an IRS-authorized tax service, to trick users into downloading malware onto their devices.
The false error message warned users that the page couldn’t be reached and provided users with a link to update their browser. This “update” contains a hidden malicious code that prompts users to download another file called “update.exe.” This second download is what contains the bulk of the malware.
What’s unique about popper.js is that it uses obfuscated code to hide a connection to infoamanewonliag[.]online, which was registered on VirusTotal on March 12 and had its last update on March 17. It’s the same day that users on Reddit began making posts addressing concerns they had about eFile’s sudden SSL error messages that would pop up on their screens. The IP address of this connection is also hosted on Alibaba.
Since the code wasn’t detected until April 1, this means the malware had several weeks to infect people’s devices. Back in January, the LockBit ransomware gang claimed to have hacked eFile. Though there was seemingly no attack, it may explain how a group was able to carefully organize an extensive but subtle attack on the website.
Threat actors took advantage of the implicit trust users had in an IRS-backed service and unfortunately, there’s no way to determine the full scope of the situation, how many users were affected, or exactly what the threat actors obtained. The public should know more once eFile releases a statement about the situation.