With tax season in full swing, we open this Cybersecurity Week in Review with a warning from the Internal Revenue Service (IRS) advising university students and staff to be wary of a tax season email phishing scam. We also recap an incident involving the installation of a CobaltStrike stager heavily obfuscated using Globally Unique Identifiers (GUIDs). Finally, we highlight how publicly available images are spreading cryptocurrency-mining malware and a significant hack on PHP’s Git server.

IRS Warning College Students and University Staff of Phishing Scam

The IRS released a warning on March 30, 2021, advising students at staff at public and private colleges, universities, and educational institutions throughout the United States to be on the watch out for emails impersonating the IRS.

The emails appear to target those with .edu email addresses and arrive with subject lines such as “Tax Refund Payment” or “Recalculation of your tax refund payment.” When opened, the email requests that the recipient click a link and fill out a form to obtain their refund. 

The link connects to a phishing site that requests personal information, including name, social security number, driver’s license number, and date of birth, as well as an electronic filing PIN. 

Unfortunately, the files appear to be bypassing Office 365 security. Researchers estimate that as many as 50,000 individuals may have been targeted.

The IRS is advising anyone who  receives this phishing email to not click on any links and to forward the email to [email protected].

If an individual believes that they may have already provided the cybercriminals with information in this scam or another scam, they should immediately obtain an IRS Identity Protection PIN, which can be obtained from the IRS.

More information on this story can be found here and here.

Cobalt Strike Infiltration Uses Sophisticated Obfuscation Technique

Last week the GuidePoint Security Digital Forensics and Incident Response (DFIR) team announced the discovery of a heavily obfuscated large Cobalt Strike installation in an ongoing attack against a customer. The obfuscation technique involved a call to a GUID to enable a binary-type objective to be derived from the strings found in a dynamic link library (DLL) file. 

Cobalt Strike is legitimate software used by security professionals for threat emulation during penetration testing. Unfortunately, cybercriminals have also found the software to be highly useful because of the software’s ability to avoid detection and deploy “listeners” on targeted networks.

In this particular incident, the DFIR team discovered a suspicious DLL file in the Windows ‘Temp’ folder. Further investigation using the FireEye Labs Obfuscated String Solver (FLOSS) led them to discover a beacon32.dll string, a key indicator of a Cobalt Strike component. Digging deeper, the team found other indicators of how the DLL operated with the discovery of an execution mechanism using regsvr32. 

GuidePoint security researchers eventually discovered that the functionality of the DLL was likely designed solely as a Cobalt Strike ‘stager’, with an intent to iterate through a dataset and call to GUIDFromStringW. GUIDs (globally unique identifiers) are 128-bit values, most often used for COM interfaces, COM class objects, or a manager entry-point vector (EPV). GuidePoint researchers believe that the threat actors obfuscated the shellcode through a call to GUIDFromStringW which enabled a binary-type object to be copied from the strings in the DLL.

During their research, the GuidePoint Security DFIR team created a curl command to retrieve the malicious beacon. With this technique, the researchers parsed the beacon configuration and discovered that it intended to spawn into svchost.exe -k netsvcs. 

The GuidePoint team continued their research into this threat. Additional details on their research can be found here.

Public Cloud Images Spreading Monero Cryptomining Malware

At least 30 images found on Docker Hub have been discovered to contain and spread cryptomining malware. 

Docker Hub is a cloud-based repository for storing, sharing, or locating container images. There are an estimated 6.5 million Docker developers, more than 7 million Docker Hub repositories, 1.5 billion pulls per week, and more than 44 million docker engines.

According to researchers, the malicious images are located across 10 different Docker Hub accounts and have earned cybercriminals an estimated $200,000 in predominantly Monero cryptocurrency. The malware spreads through trojanized images available for public download in the Docker Hub container registry. It appears that the criminal developers behind the malware have applied tags to the malicious files as a way to reference and match the images to different types of malware based on the type of cryptominers, operating systems, and CPU architectures. A high number of Docker Hub accounts appear to belong to the same malware campaign.

Cryptomining malware poses multiple dangers to businesses. In addition to financially supporting cybercriminals, cryptominers also take up large amounts of CPU resources, can throttle operations on computers and networks, use extensive amounts of energy, and often include additional backdoors for use with future malware, such as ransomware.

More on the Docker Hub cryptomining malware story can be found here and here.

Official PHP Git Repository Code Base Hacked

Last week PHP developers announced that hackers had infiltrated PHP’s Git server and added a backdoor. Researchers believe the backdoor is designed to obtain easy remote code execution (RCE) on a website running a hijacked version of PHP. It also seems the threat actors attempted to hide their activities by publishing comments that said ‘fix typo’ to suggest that edits were minor corrections. The malicious code was designed to trigger if a string began with content related to a U.S.-based infosec company’s name. The threat actors also “signed” the comments using the names of two PHP developers—Nikita Popov and Rasmus Lerdorf.

Fortunately, code changes were discovered and reverted before they caused any damage or user impact. PHP developers believe the attack may have happened through a compromised official git.php.net server. As a result, PHP will no longer maintain its git infrastructure and will push changes directly to GitHub. PHP maintainers are also scouring other repositories for corruption.

This security incident is being described as a supply chain attack, similar to the recent SolarWinds attack, with threat actors targeting code in open-source projects and libraries.

More on the PHP attack can be found here, here, and here.

Final Words

It is said there are two things in life that are certain: death and taxes.

And, in the life of a cybersecurity professional, it can also be said with absolute certainty that with tax season comes an increase in cybercrime.

While cybercriminals are known to be innovative and stealthy, in some ways they are also highly predictable. There is no question that an increase in cybercrime can be guaranteed during certain times of the year: the holidays, major national or global events (such as hurricanes or Covid) and tax season.

With more individuals filing their taxes online, it becomes easier for criminals to engage in phishing and malware scams through email. In addition to the spate of attacks focused on U.S. college and university students and staff discussed in our opening story, there are also reports emerging of phishing messages containing malicious documents that deliver remote access trojans designed to take control of victim’s devices. This tax season threat actors have even involved a recently notorious financial services company with a campaign targeting customers to steal credentials and spread malware via fax tax documents.

As much as security professionals regularly remind businesses and individuals to be careful, it bears repeating during tax season. 

Tax season security tips include:

• Use of an IRS PIN
• Watching out for fraudulent emails, texts, or social media posts
• Reminding the elderly about tax season scams
• Filing early
• Only using trusted and reputable tax filing websites
• Using multi-factor authentication

 Remember, the IRS will never initiate contact by phone, email, text, or social media and will only contact individuals and businesses by mail. All paper IRS correspondence includes the IRS seal, an official notice number at the top right corner, and correct IRS contact information.

More on current tax scams and alerts can be found on the IRS Tax Scams/Consumer Alerts webpage.