Tax-Themed Malvertising Campaign Deploys Ransomware Amid Tax Season

Cybercriminals Exploit Tax Season with Malvertising Attacks

As the U.S. tax filing deadline of April 15 approaches, cybercriminals are leveraging the urgency of the season to launch sophisticated malvertising campaigns. Security researchers from Huntress have identified a surge in tax-themed malicious advertisements designed to deceive individuals seeking tax forms online. These deceptive ads lead unsuspecting users to fraudulent websites offering downloads of essential tax documents like W-2 and W-9 forms. However, instead of legitimate forms, these sites deliver malware that can disable security software and deploy ransomware.

Mechanism of the Attack

The attack begins when users click on malicious advertisements promoted through platforms like Google Ads. These ads redirect users to counterfeit websites that prompt the download of tax forms. Upon downloading, the user inadvertently installs a remote access tool known as ScreenConnect (also branded as ConnectWise Control). This tool, while legitimate in its standard use, is frequently exploited by cybercriminals for unauthorized access.

Before the remote access tool is activated, the malware drops a malicious kernel driver designed to disable security software such as Windows Defender. This action leaves the system vulnerable, allowing attackers to establish a foothold, harvest credentials, and potentially deploy ransomware in subsequent stages of the attack.

Scope and Impact

Huntress has reported over 60 instances of such attacks targeting a diverse range of victims, including freelancers, employees, contractors, and small businesses. The initial intrusions appear to be part of a broader, multi-phase plan aimed at credential harvesting and eventual ransomware deployment. Additionally, the campaign employs other deceptive tactics, such as fake Chrome update pages, with indications of Russian involvement based on embedded JavaScript comments.

Recommendations for Users

To mitigate the risk of falling victim to such attacks, users are advised to:

• Download tax forms directly from official sources, such as the IRS website.
• Be cautious of advertisements offering tax-related documents, especially those appearing in search engine results.
• Ensure that security software is up-to-date and functioning correctly.
• Exercise vigilance when prompted to download software or updates from unfamiliar sources.

By adopting these practices, individuals and organizations can better protect themselves against the evolving threats posed by cybercriminals during the tax season.

For more detailed information on this campaign, refer to the original report by Huntress.