eFile.com, an online service that helps individuals file tax returns, was recently injected with malicious code that led to malware being distributed to visitors. The attack was first reported on Reddit, where a user described being redirected to a fake ‘network error’ page and served a fake browser update. After clicking on the ‘browser update’ link, users were served two executables, named ‘update.exe’ and ‘installer.exe’.
Johannes Ullrich of the SANS Internet Storm Center revealed that the malicious files had very low detection rates on VirusTotal, and were digitally signed with a valid certificate from Sichuan Niurui Science and Technology Co., Ltd. Further analysis of ‘update.exe’ showed it to be a downloader written in Python, designed to fetch a PHP script that establishes communication with the command-and-control server. It’s main function is to download and execute additional code as instructed, and it sends basic system information to the attacker and makes the backdoor persistent.
The backdoor, written in PHP, connects to a URL every 10 seconds and executes any commands it receives from the attacker. It also sends back the output of the received commands, and supports three tasks: code execution, file download, and execution scheduling.
The researcher noted that eFile removed the malicious JavaScript code from the website on April 3, but not before the attackers tried to remove the infection. The malicious code was injected on every page on eFile.com.
In conclusion, eFile.com was recently injected with malicious code, leading to malware being distributed to visitors. Analysis of the malicious files revealed them to be a downloader written in Python and a backdoor written in PHP. The code was digitally signed and had very low detection rates on VirusTotal. Fortunately, eFile removed the malicious code from the website and the attackers attempted to cover their tracks.
Key Points:
- eFile.com was injected with malicious code, leading to malware being distributed to visitors
- The malicious files were a downloader written in Python and a backdoor written in PHP
- The code was digitally signed and had very low detection rates on VirusTotal
- eFile removed the malicious code from the website and the attackers attempted to cover their tracks