eFile.com, an online service that helps individuals file tax returns, was injected with malicious code that led to malware being delivered to visitors.
The software service, which is authorized by the Internal Revenue Service (IRS), albeit not operated by the agency, was seen serving malware for several weeks, until it was cleaned up earlier this week.
The eFile.com compromise was initially observed in mid-March, when a user posted on Reddit the first details of the issue: visitors were redirected to a fake ‘network error’ page and were served a fake browser update.
When clicking on the ‘browser update’ link, users were served one of two executables, named ‘update.exe’ and ‘installer.exe’.
On Monday, Johannes Ullrich of the SANS Internet Storm Center revealed that the malicious files had very low detection rates on VirusTotal. He also discovered that ‘update.exe’ was signed with a valid certificate from Sichuan Niurui Science and Technology Co., Ltd.
The analysis of update.exe, Ullrich says in a follow-up post, shows that it is a downloader written in Python, designed to fetch a PHP script that establishes communication with the command-and-control (C&C) server.
“Its main function is to download and execute additional code as instructed to do so. During the installation, basic system information is sent to the attacker, and the backdoor is made persistent via scheduled/on-boot registry entries,” Ullrich explains.
Implemented in PHP, the backdoor was designed to connect to a URL every 10 seconds and execute any commands it may receive from the attacker. It would also send back the output of the received commands.
The backdoor, Ullrich says, supports three tasks, namely code execution, file download, and execution scheduling. However, the last task does not appear to be completely implemented, the researcher says.
“Some of the attack infrastructure is hosted with Alibaba in China, and some Chinese comments are in the code. So probably someone Chinese. The code is very cobbled together, and the clumsy inclusion of PHP points to a not-so-advanced, but maybe still persistent, threat actor,” Ullrich concludes.
Related: Thousands of Websites Hijacked Using Compromised FTP Credentials
Related: Web Skimmer Injected Into Hundreds of Magento-Powered Stores
Related: Skimmer Injected Into 100 Real Estate Websites via Cloud Video Platform