As tax season comes to a close, researchers at a cybersecurity company are seeing a new type of phishing attack embedded within documents sent via email to tax professionals.
Researchers at Abnormal Security reported Wednesday they have detected cybercriminals posing as potential tax clients and targeting tax professionals ahead of April’s deadline. Once they make contact, the hackers deliver a version of the remote-access tool Sorillus disguised as tax documents via email.
Sorillus is a commercial remote access tool, or RAT, that offers obfuscation and encryption features. The tool is able to collect confidential information including a hardware ID, username, country, language, webcam, headless, operating system and client version from targets.
“Between Feb. 24, 2022, and March 4, 2022, we identified more than 130 emails from threat actors posing as potential clients,” wrote Abnormal Security threat researcher Belem Regalado and threat intelligence analyst Rachelle Chouinard in a
The emails came from 10 different addresses but had similar subject lines such as “dawn.simpson Return Service 2021.”
After the initial contact, the hackers sent follow-up messages containing a file share link to the Sorillus remote access tool hidden beneath the text, pretending to be a simple PDF file attachment. In reality, the file was a ZIP-compressed archive containing a JAR (Java archive) executable file.
The company is urging tax professionals to avoid opening any attachments or links in emails sent from new or prospective clients until they, or a member of their staff, has spoken with the client directly, or to upgrade their email security.
The Internal Revenue Service has also been urging tax professionals to beware of tax season phishing and related spearphishing scams. In February, the IRS warned about a phishing scheme that aimed to steal their tax prep software credentials (
