index.php

efile.com compromised by threat actor to embed malicious files

Bangaly Koita 2 years ago

The efile[.]com a team of tax professionals and tax software vendors that provide an online platform to efile federal income taxes and state taxes online website has been compromised. The website is redirecting to a malicious domain  that is used to download a malicious payload on a victim machine.

Details:

Some malicious files were embedded in the efile.com website redirecting to a maldomain with a malicious payload attach to it used to compromised the victim system.

The threat actors used different types of files and attachments to achieve their goal. 

  1. propper.js

https://urlscan.io/responses/63899f4dc894bdf8323e7ec65d608a640d7915b7eea7dd985dd876da0298a4b6/

The popper.js file contains a base64 encoding

popper.js after being decoded

The output is showing the redirecting domain which is infoamanewonliag[.]online

The URL www.infoamanewonliag[.]online/update/index.php is redirecting the final URL

VirusTotal - URL - 85f0f90c55dae3f6e4f50791470491eccebf7529a98f230f33dac32e805291de

Final URL

https://winwin[.]co[.]th/intro/

The final URL contains some malicious exe files that will be used to compromise the victim host machine:

https://urlscan.io/search/#winwin.co.th

https://winwin[.]co[.]th/intro/update.exe

https://www.virustotal.com/gui/url/85f0f90c55dae3f6e4f50791470491eccebf7529a98f230f33dac32e805291de/details

Hash from URLSCAN 882d95bdbca75ab9d13486e477ab76b3978e14d6fca30c11ec368f7e5fa1d0cb

https://www.virustotal.com/gui/file/882d95bdbca75ab9d13486e477ab76b3978e14d6fca30c11ec368f7e5fa1d0cb

  1. index.php and update.js
  • The index.php file is redirecting to the URL with the attachment update.js 

https://urlscan.io/responses/4ffeae430c05f641cb88d2d18131e3f4a3ecdcbc55c159af8998623e5769532a/

  • The js file contains two URLs with an exe file attached to each and base64 encoding:

https://urlscan.io/responses/ca051090a1105e8ea53a04206c8ddcee4b0d33d4566d2f28549fbf0bbdd34bc8/

  • As we mentioned in the “popper.js”,

The others URLs with the exe files are redirecting to final URL

https://winwin[.]co[.]th/intro/

The domain winwin[.]co contains some malicious exe files that will be used to compromise the victim host machine:

At the end, we may conclude that the intention of the threat actor is to compromise the infected system by redirecting the victim to different domains in order to download a malfile.

Once the user is redirected to the winwin[.]co website, the malicious exe will be downloaded and compromised the system.

The malicious files are already detectable by many anti-viruses.

If you were in touch with the efile.com during the last few days and was redirecting to any of the files mentioned above, better scan your laptop by using tool like Malwarebytes or others.

Click on the link (VirusTotal - File - 882d95bdbca75ab9d13486e477ab76b3978e14d6fca30c11ec368f7e5fa1d0cb) for further details about the exe files.

You may have missed

Windows files system you should never whitelist in your environment

Bangaly Koita 3 weeks ago

New update in URLSCAN to detect malicious domains

Bangaly Koita 3 months ago

How to securely open a file

Bangaly Koita 8 months ago

Payoutproject[.]com the biggest scam ever on social media Facebook, twitter, TikTok, Instagram

Bangaly Koita 10 months ago

How to use a proxy server for free over the internet

Bangaly Koita 10 months ago