Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits

This tax season, we’d like to update Benjamin Franklin’s quote to be: In this world, nothing is certain except death and taxes… and seasonal scams. Scammers will optimize for success by sending messages out at prime times of the month and year when they think targets will have their guard down and expectations up. We see it in year-end insurance and bonus scams and we see it at the start of each new year in tax scams. As W-2s start to hit inboxes, so do scam emails from bad actors.

With each season, scammers get better at hiding their intent. They add layers and steps to increase obfuscation, they use LLMs to craft better messages, and they leverage the latest methods for hiding malicious links. Let’s look at some that Sublime’s already caught this year.

Malware delivery via VIP impersonation

Many email attacks begin innocuously. More often than not, the first step in the attack won’t seem like it’s part of an attack to the average target. This is why Sublime uses a wide variety of signals along with machine learning-identified intent to see what’s really going on. Take a look at this example:

This scam begins with the impersonation of a high-ranking executive, in this case it’s the CEO of a legitimate company. The attacker sends a request for tax assistance to a CPA, using the CEO's name to establish credibility. However, a closer look reveals two key red flags: the email address and domain do not match those of the actual company. While the attack type may not be entirely clear just from the body, the VIP impersonation tactic makes it clear that the intent is malicious.

The Sublime Detection team noticed that this message was very similar to those used in previous attacks by the threat actor TA576. Those attacks started with a simple request for tax help. If the CPA responded, the attacker sent over a link to their "financial documents", which was actually malware appearing as a PDF. We wanted to see if that’s what was going on here, so we emailed the sender address to do some reverse phishing.

After a few messages back and forth, we were able to get the attacker to send a link to their "financial records". Disguised as a PDF, it was really a link to a ZIP file that contained a single LNK file. When run, the LNK launched a PDF with a fake 2023 tax form – while also quietly spinning up the AdWind (Java-based RAT) malware in the background.

By detecting the malicious intent of the opening email, the attacker was given no chance to deliver the malware to their intended target (only our Detection team). Here are the top signals that Sublime's AI-powered detection engine used to catch this attack:

• Newly registered reply-to domain: The reply-to domain (aquahcglobal[.]com) is suspicious because it was registered very recently. Registering new domains is a common tactic used to conduct attacks.
• Suspicious reply-to: The sender (estimating@ali-electric[.]com) and reply-to (eric[.]young@aquahcglobal[.]com) email domain do not match, a common tactic used to redirect conversations to an attacker owned email address.
• Suspicious subject: The subject uses all capital letters, a common tactic used by scammers to elicit a sense of urgency. Urgency is a category within our named entity recognition (NER) enrichment function.

Tax-themed credential phishing via DocuSign impersonation

We’ve already covered the use of e-signing services for credential phishing and callback phishing in previous posts, as attackers love to abuse or impersonate services in their scams because of their prevalence. Here’s a recent one impersonating a legitimate DocuSign auto-notification:

This attack is much more direct than the previous scam. If the recipient clicks the Review Documents link, they’re first taken to Cloudflare challenge page and then to a login page that will steal their credentials. Neither of these pages have a legitimate Docusign URL.

Rather than using a multi-step process, this attack is using the ubiquity of Docusign during tax time to steal information from a target that may not think twice about a seemingly innocuous email. But this email wasn’t innocuous to Sublime. Here’s the Attack Score Verdict with the top attack signals identified and Detection Rules triggered by this message:

The full Message Query Language (MQL) of these publicly available Detection Rules – like Credential Phishing: DocuSign embedded image lure with no DocuSign domains in links – are available in our Core Feed.

Malicious QR codes from compromised accounts

This final example employs a combination of attack techniques, and we’ll get a bit more into the weeds with this one. In this attack, the bad actor sends their target an email with an attached PDF. The PDF has a QR code that directs the target through an intermediary redirect, then a Cloudflare CAPTCHA page, and finally a fake Microsoft login used to harvest credentials.

Based on our initial analysis, the attack appears to have been built with the tycoon/storm1747 phishing kit. Here’s the flow:

If the target clicks on the Download Your Attached W-2 PDF button, they’re taken to this PDF:

Looking at just the body and the attachment, we can already see enough attack signals to make a high-confidence verdict:

• Engaging language: The message attempts to engage the user with a sense of urgency. The sent date and the required response day are both January 24.
• Authoritative display name: The sender has a display name resembling Human Resources, which is commonly used in scams.
• First time sender domain: No one from the sender’s domain (redacted) has ever sent a message to the target’s company.
• Credential theft: Language in the message appears to engage the user in order to steal credentials.
• Suspicious attachment: The image attachment contains credential theft language.
• Suspicious QR code: An attached QR code links to free subdomain.

Combining these signals allows Sublime to quickly treat this message as malicious and identify the attacker’s intent. But, there are other signals within the message that we can dig a little deeper into to uncover the how of the attack beyond the what.

Identifying a compromised account

Looking at sender domain information, we can see a few important things. First, this domain has been active for 18 years, meaning this was not a fake company spun up for the sake of the attack. Additionally, SPF and DMARC both passed authentication, so the message is not spoofing the domain.

But if we look at the sender IP and location information, we see something very suspicious. The domain is registered to a company in Texas (per their website), but the UTC offset of the sender is 0 (Texas is UTC-6) and the originating IP is based in Japan.

This is a strong indication of a compromised account. The email is not spoofed, the company is real, but the email was sent over a VPN to hide the location of the attacker. This means the first step of this scam was to hijack a legitimate email account from a real company in order to attack other targets.

Similar to the first example we explored, this is a multi-layered attack that uses an initial fraud to launch a much more dangerous and effective attack.

Stay safe from scams this tax season

You already have enough concerns at tax time, so don’t let Uncle Scam add email-based attacks to your list. Sublime detects and prevents credential phishing, brand impersonation, and other email-based threats.  Start your free account today, managed or self-managed, for out-of-the-box coverage for these types of attacks with the ability to customize their handling for your environment.

Read more Attack Spotlights:

• Credential phishing Charles Schwab account holders with 2FA bypass
• Hiding a $50,000 BEC financial fraud in a fake email thread
• Callback phishing via invoice abuse and distribution list relays