Connect with us

Hi, what are you looking for?


Malware & Threats

Tax Return Filing Service Caught Serving Malware

Online tax return filing service was injected with malicious JavaScript code serving malware to visitors., an online service that helps individuals file tax returns, was injected with malicious code that led to malware being delivered to visitors.

The software service, which is authorized by the Internal Revenue Service (IRS), albeit not operated by the agency, was seen serving malware for several weeks, until it was cleaned up earlier this week.

The compromise was initially observed in mid-March, when a user posted on Reddit the first details of the issue: visitors were redirected to a fake ‘network error’ page and were served a fake browser update.

When clicking on the ‘browser update’ link, users were served one of two executables, named ‘update.exe’ and ‘installer.exe’.

On Monday, Johannes Ullrich of the SANS Internet Storm Center revealed that the malicious files had very low detection rates on VirusTotal. He also discovered that ‘update.exe’ was signed with a valid certificate from Sichuan Niurui Science and Technology Co., Ltd.

The analysis of update.exe, Ullrich says in a follow-up post, shows that it is a downloader written in Python, designed to fetch a PHP script that establishes communication with the command-and-control (C&C) server.

“Its main function is to download and execute additional code as instructed to do so. During the installation, basic system information is sent to the attacker, and the backdoor is made persistent via scheduled/on-boot registry entries,” Ullrich explains.

Advertisement. Scroll to continue reading.

Implemented in PHP, the backdoor was designed to connect to a URL every 10 seconds and execute any commands it may receive from the attacker. It would also send back the output of the received commands.

The backdoor, Ullrich says, supports three tasks, namely code execution, file download, and execution scheduling. However, the last task does not appear to be completely implemented, the researcher says.

“Some of the attack infrastructure is hosted with Alibaba in China, and some Chinese comments are in the code. So probably someone Chinese. The code is very cobbled together, and the clumsy inclusion of PHP points to a not-so-advanced, but maybe still persistent, threat actor,” Ullrich concludes.

The researcher also notes that eFile removed the malicious JavaScript code from the website on April 3, but not before the attackers themselves attempted to remove the infection, likely to cover their tracks. The malicious code was apparently injected on every page on

Related: Thousands of Websites Hijacked Using Compromised FTP Credentials

Related: Web Skimmer Injected Into Hundreds of Magento-Powered Stores

Related: Skimmer Injected Into 100 Real Estate Websites via Cloud Video Platform

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...