Microsoft has reported that hackers are targeting accountants to steal financial information given on Tax Day from millions of U.S. citizens.
The most common threat vector being used is phishing.
- This phishing campaign's infection chain initiates with emails that aim to convince accountants that they are clients who are sending mandatory tax documents.
- These emails contain links that evade detection and lead the victim to a file-hosting site that downloads a ZIP archive.
- This ZIP archive contains files pretending to be PDF files for various tax forms but are actually Windows shortcuts.
- When double-clicked, these Windows shortcuts execute PowerShell scripts and download a decoy PDF file that is opened on Microsoft Edge to avoid arousing suspicion by the targeted person.
- Microsoft says that these VBS files download and execute the GuLoader malware, which then installs the Remcos remote access trojan.
