Researchers have spotted an ongoing tax-themed malicious email campaign that is delivering the NanoCore remote access trojan (RAT) as its malware payload.
Anthony Kasza and Tyler Halfpop, malware researchers at Palo Alto Networks, write in a blog post how they recently spotted the campaign after coming across a number of emails with malicious attachments and with subject lines featuring the words “tax”, “pin”, and “report”:
- [Attention] Your 2014 Tax Report
- [Urgent Attention] Your 2015 Secure IP PIN
- [ATO: URGENT] Your 2014 Tax Return Report!
- [URGENT ATTENTION] Your 2014 Tax Return!
- [ATO: ATTENTION] Your 2015 Tax Return PIN!
- [IRS ATTENTION] Your 2015 Secure IP PIN!!!
- [HMRC ATTENTION] Your 2015 Tax Report PIN!
- [ATTENTION] Your 2015 Tax Return PIN!!!
The researchers shared details of the scale of the malware campaign:
“Within the final sample set, we were able to identify 70 unique malware samples distributed through 2,062 email sessions between September 2, 2015 and January 28, 2016.”
In this attack, the email senders use addresses such as “2015-autax-return[at]ato[dot]gov[dot]au,” “2015autaxreturn[at]ato[dot]gov[dot]au,” and “2015tax-return[at]irs[dot]gov” to enhance the legitimacy of their messages.
Of course, these addresses are only meant to lull users into a false sense of security and entice them to open the attachment - either in the form of an .EXE executable file or a Microsoft Word document containing malicious macros.
Audaciously, the boobytrapped Word documents contain a guide for its intended victims on how to ensure that macros are enabled, in order that their computers can be easily compromised.
Regardless of the form of each attachment, the malware’s payload consists either of the NanoCore RAT or a macro downloader that can execute the trojan.
According to Symantec, NanoCore dates back to at least 2013, when a cracked alpha version of the trojan first appeared online.
The malware went through at least four beta versions after that before the full version (18.104.22.168) finally made an appearance. That version was also eventually cracked and leaked online, which resulted in an increase in targeted and non-targeted attacks using the tool in March of last year.
In its current incarnation, NanoCore is a modular RAT that derives its capabilities from a number of plug-ins. These add-ons allow the malware to log keystrokes, download and install other software, edit the registry, modify the firewall, and assume control of the infected PC’s webcam.
Clearly, NanoCore can wreak some serious havoc if it gets its hands on a user’s machine. To prevent that from happening, users should always stay on the lookout for suspicious emails and attachments, especially those that pertain to their tax reports.
For added details of how to protect your computers, please view Palo Alto Networks’ article, which includes a number of indicators to look out for, including email attachment names commonly used by NanoCore in this campaign.