Cybercriminals Exploit Tax Season with Malicious Google Ads to Deploy EDR-Killing Malware
As the April tax deadline approaches, cybercriminals are capitalizing on the urgency of tax season by launching sophisticated malvertising campaigns. These campaigns utilize deceptive Google Ads to distribute malware capable of disabling Endpoint Detection and Response (EDR) systems, leaving victims’ computers vulnerable to further attacks.
The Malvertising Strategy
The attack begins when individuals search for tax-related forms, such as W-2 or W-9, on Google. Cybercriminals have placed sponsored ads that appear at the top of search results, leading unsuspecting users to malicious websites. For instance, a user might click on an ad that directs them to a site like anukitax[.]com, which then redirects to bringetax[.]com. These sites are designed to mimic legitimate tax form portals, tricking users into downloading what they believe are necessary tax documents.
Once on the fraudulent site, users are prompted to download a file named form_w9.msi. This file is a trojanized installer for ScreenConnect, a legitimate remote management tool. By leveraging a trusted application, attackers increase the likelihood that users will install the software without suspicion. Upon installation, the attacker gains full remote access to the victim’s machine through a trial cloud instance of ScreenConnect, bypassing enterprise approval and IT oversight.
Uncovering the Campaign
Huntress researchers identified this campaign during routine threat hunting, tracing over 60 rogue ScreenConnect sessions across their customer base. What initially appeared as isolated incidents of unauthorized remote tool usage revealed a coordinated, multi-stage operation with a deeply layered payload designed to disable endpoint security tools entirely. The ultimate objective, based on post-access behavior, suggests intentions toward ransomware deployment or selling initial access to other cybercriminals.
The Multi-Stage Attack Process
After establishing remote access via ScreenConnect, the attacker deploys a multi-stage crypter known as FatMalloc. This tool employs advanced evasion techniques to bypass security measures:
1. Memory Allocation Evasion: FatMalloc allocates 2GB of memory filled with zeros before releasing it. This tactic forces antivirus emulators to time out, as they cannot afford to simulate such a massive memory operation. Sandboxes with limited memory fail the allocation entirely, causing the malware to exit silently without revealing itself.
2. Indirect Shellcode Execution: If the memory allocation check passes, FatMalloc executes its shellcode indirectly using the Windows multimedia timer API. Instead of spawning a new thread, the crypter passes the shellcode’s address as user data to timeSetEvent, which invokes it through a callback after 100 milliseconds. Security tools monitoring direct thread creation miss this activity, as execution appears to originate from winmm.dll.
The shellcode then decrypts itself using a custom routine and proceeds to download and execute the final payload, HwAudKiller.
HwAudKiller: The EDR Killer
HwAudKiller is a previously undocumented malware that utilizes a Bring Your Own Vulnerable Driver (BYOVD) attack to disable EDR systems. It exploits a vulnerable Huawei audio driver to gain kernel-level access, allowing it to terminate processes associated with Windows Defender, Kaspersky, and SentinelOne. By disabling these security tools, the attacker ensures that subsequent malicious activities go undetected.
Post-Exploitation Activities
With EDR systems disabled, the attacker proceeds with post-exploitation activities:
– Credential Dumping: The attacker dumps credentials from the Local Security Authority Subsystem Service (LSASS) to obtain usernames and passwords stored in memory.
– Lateral Movement: Using tools like NetExec, the attacker moves laterally across the network, harvesting additional accounts and escalating privileges.
These actions are consistent with pre-ransomware behavior, indicating that the attackers may intend to deploy ransomware or sell access to other malicious actors.
Additional Lures and Infrastructure
Beyond tax-themed lures, the threat actor’s exposed open directory revealed a fake Google Chrome update page containing Russian-language JavaScript comments, suggesting a Russian-speaking developer. Both lure types pulled payloads from the same 4sync file-sharing infrastructure, confirming that this is not a standalone campaign but part of an organized operation running multiple social engineering fronts simultaneously.
Mitigation and Recommendations
To protect against such sophisticated attacks, individuals and organizations should adopt the following measures:
1. Verify Sources: Always download tax forms and software updates directly from official websites. Be cautious of sponsored ads, especially during high-target seasons like tax time.
2. Educate Users: Train employees and users to recognize phishing attempts and the risks associated with downloading files from unverified sources.
3. Implement Multi-Factor Authentication (MFA): Use MFA to add an extra layer of security, making it more difficult for attackers to gain access even if credentials are compromised.
4. Monitor for Unauthorized Remote Tools: Regularly audit systems for unauthorized installations of remote management tools like ScreenConnect.
5. Keep Systems Updated: Ensure that all software, especially security tools, are up to date to protect against known vulnerabilities.
6. Deploy Advanced Threat Detection: Utilize advanced threat detection solutions capable of identifying and mitigating sophisticated attacks that employ evasion techniques.
By remaining vigilant and implementing robust security practices, individuals and organizations can reduce the risk of falling victim to such malicious campaigns.
