efile.com compromised by threat actor to embed malicious files
The efile[.]com a team of tax professionals and tax software vendors that provide an online platform to efile federal income taxes and state taxes online website has been compromised. The website is redirecting to a malicious domain that is used to download a malicious payload on a victim machine.
Details:
Some malicious files were embedded in the efile.com website redirecting to a maldomain with a malicious payload attach to it used to compromised the victim system.
The threat actors used different types of files and attachments to achieve their goal.
- propper.js
https://urlscan.io/responses/63899f4dc894bdf8323e7ec65d608a640d7915b7eea7dd985dd876da0298a4b6/
The popper.js file contains a base64 encoding
popper.js after being decoded
The output is showing the redirecting domain which is infoamanewonliag[.]online
The URL www.infoamanewonliag[.]online/update/index.php is redirecting the final URL
VirusTotal – URL – 85f0f90c55dae3f6e4f50791470491eccebf7529a98f230f33dac32e805291de
Final URL
https://winwin[.]co[.]th/intro/
The final URL contains some malicious exe files that will be used to compromise the victim host machine:
https://urlscan.io/search/#winwin.co.th
https://winwin[.]co[.]th/intro/update.exe
https://www.virustotal.com/gui/url/85f0f90c55dae3f6e4f50791470491eccebf7529a98f230f33dac32e805291de/details
Hash from URLSCAN 882d95bdbca75ab9d13486e477ab76b3978e14d6fca30c11ec368f7e5fa1d0cb
https://www.virustotal.com/gui/file/882d95bdbca75ab9d13486e477ab76b3978e14d6fca30c11ec368f7e5fa1d0cb
- index.php and update.js
- The index.php file is redirecting to the URL with the attachment update.js
https://urlscan.io/responses/4ffeae430c05f641cb88d2d18131e3f4a3ecdcbc55c159af8998623e5769532a/
- The js file contains two URLs with an exe file attached to each and base64 encoding:
https://urlscan.io/responses/ca051090a1105e8ea53a04206c8ddcee4b0d33d4566d2f28549fbf0bbdd34bc8/
- As we mentioned in the “popper.js”,
The others URLs with the exe files are redirecting to final URL
https://winwin[.]co[.]th/intro/
The domain winwin[.]co contains some malicious exe files that will be used to compromise the victim host machine:
At the end, we may conclude that the intention of the threat actor is to compromise the infected system by redirecting the victim to different domains in order to download a malfile.
Once the user is redirected to the winwin[.]co website, the malicious exe will be downloaded and compromised the system.
The malicious files are already detectable by many anti-viruses.
If you were in touch with the efile.com during the last few days and was redirecting to any of the files mentioned above, better scan your laptop by using tool like Malwarebytes or others.
Click on the link (VirusTotal – File – 882d95bdbca75ab9d13486e477ab76b3978e14d6fca30c11ec368f7e5fa1d0cb) for further details about the exe files.
Bangaly Koita is a SOC Analyst and Cyber Security researcher . As a passionate in cyber security, he spends most of the time writing articles and making videos online to share his knowledge and experience to the vast community of IT but in general Cyber Security. Feel free to contact me in case.
