Microsoft has issued a warning about a new Remcos remote access trojan (RAT) campaign that targets accounting and tax preparation firms in the United States prior to Tax Day. Cybercriminals have been compromising networks since February to deploy Remcos, which allows them to remotely control Windows systems.
Remcos has been used in numerous malicious attacks, including mass campaigns during the Covid-19 pandemic, and was named one of the top malware strains by the US Cybersecurity and Infrastructure Security Agency (CISA) last year.
The attacks exclusively target organizations that deal with tax preparation, financial services, CPA and accounting firms, and professional service firms dealing in bookkeeping and tax. The cybercriminals are using lures that pose as tax documentation sent by a client and rely on links that use a legitimate click-tracking service to evade detection.
The victim is then redirected to shortcut (LNK) files hosted on a legitimate file hosting site, which then send requests to attacker-controlled domains to fetch malicious files that lead to the installation of Remcos.
The infection chain relies on MSI files, VBScript files containing PowerShell commands, and in some cases, the GuLoader malware downloader to drop the Remcos RAT on the victim’s systems. Microsoft warns that successful delivery of a Remcos payload could provide an attacker the opportunity to take control of the target device to steal information and/or move laterally through the target network.
Tax season has traditionally been an opportunity for cybercriminals to target unsuspecting victims in various types of malicious attacks, including malware distribution, and the 2023 tax season is no exception.
