A FortiGuard Labs Breaking Threat Report
Tax-themed phishing and malware attacks rise during the tax filing season. FortiGuard Labs recently came upon an interesting Excel file claiming to provide an income tax calculator that purports to be from India’s Income Tax Department. It’s not. Instead, it’s a malicious file containing a variant of the xRAT trojan.
Based on the timestamps of when this malicious file was crafted, it seems to be targeting people catching the deadline for filing their income tax returns (ITRs) in India.
This attack is very timely as the deadline for filing the ITR in India, usually set on July 31, was extended this year to August 31, 2019.
When executed, the malicious Excel file drops and executes xRAT, an open-source RAT (remote administration tool) which is a fork off the more well-known QuasarRAT.
Fake Income Tax Calculator
The fake income tax calculator pretends to be from India’s Income Tax Department, as signified by the use of its logo in this decoy file.
When the file is opened, it immediately executes its embedded malicious macro code. The “CLICK & CALCULATE” button shown above is designed to simply trick the user into thinking that it is a legitimate file. Clicking on this button only pops-up a message box containing the following message:
What It Does
The malicious macro code first decodes Base64 encoded data embedded in the Excel file. The decoded data is then saved as %AppData%doubleenc.
The doubleenc file is encrypted with XOR using the following key:
When decrypted, the data is saved as %AppData%doubledec.
The doubledec file is still Base64 encoded. After decoding, it is saved as %AppData%msword.exe.
The msword.exe file, when executed, drops files in the %AppData%MicrosoftOfficeExcel folder. including the xRAT files.
Files 3 and 4 are both xRAT binaries compiled using different .NET Framework versions. The file Console Window Host.exe determines which .NET Framework version is installed on the system, then chooses which file to run. The chosen file is then renamed to conhost.exe. This file is then executed and added to an auto-start registry entry.
xRAT is an open-source RAT (remote administration tool) which is a fork off the more well-known open-source QuasarRAT (known to be used by hackers of all types, from script kiddies to APT groups like Patchwork and Gorgon).
The latest version of xRAT is 2.0, and the code is publicly available on Github. According to its readme file, it has the following features:
Since this RAT is open-source, we can easily identify any changes made to the original source code. The first thing that comes to mind is to look at the configuration file, which contains information about its command and control server (C2).
Based on the configuration file, this variant connects to xorc-49723.portmap.host on TCP port 63989. Apparently, this RAT uses the Portmap service to forward traffic to its C2 server. This is also a known technique used by QuasarRAT to hide the true C2 server. As expected, communication between the RAT and its C2 server is encrypted.
The encryption used by this variant is the same as that used in the original source code, which is Advanced Encryption Standard (Rijndael). The data sent to/from the C2 server is first compressed with QuickLZ compression then encrypted with AES.
The AES encryption uses a generated initial vector (IV) and the MD5 hash of the password indicated in the configuration file, which is “#$%12aBcL”, as its key.
All other functionality appears to be the same as the original source code. With a good malware signature, any new compilation of the source code can be easily caught.
As deadlines for the filing of Income Tax Returns approach, many people try to look for tax calculators to make it easy for them to estimate their refund or bill. Many tax filers just use programs downloaded from anywhere on the internet, or even from spam email attachments for unknown users, without being very mindful as to whether they are harmful or not. Every year a number of attackers take advantage of tax season by creating lures to attract and exploit unsuspecting victims, as seen in this exploit and the general rise of tax-themed attacks overall.
-= FortiGuard Lion Team =-
Fortinet customers are protected by the following:
- xRat samples are detected by MSIL/XRat.A!tr signature
- The decoy document is detected by W97M/Agent.YRJ!tr signature
- FortiSandbox rates the xRAT’s behaviour as high risk
Read about the FortiGuard Security Rating Service, which provides security audits and best practices.