Cybercriminals are exploiting tax season anxieties by distributing fake income tax assessment notices that deliver Remote Access Trojan (RAT) malware to Windows users. This sophisticated campaign impersonates the Income Tax Department, tricking recipients into downloading malicious files under the guise of official tax documents.
The attack begins with an email that appears to be from the Income Tax Department, urging the recipient to review an assessment order. The email contains a link to a fraudulent website that closely mimics the official tax portal. Once on the site, users are prompted to download a ZIP file labeled as an assessment order.
Upon extraction, the ZIP file reveals a disk image file named Tax_Assessment.img. When mounted, this image contains two files: Tax_Assessment.exe and libsvcs.dll. The executable acts as a loader, utilizing .NET reflection to execute the DLL without embedding the malicious code directly. Both files are obfuscated using ConfuserEx to evade detection by security software.
Once executed, the malware establishes persistence on the infected system by modifying registry settings and creating scheduled tasks. It disguises itself as a legitimate Windows process, “Runtime Service Host,” to avoid raising suspicion. The RAT capabilities include system information collection, user activity monitoring, and the ability to execute remote commands, granting attackers full control over the compromised machine.
This campaign highlights the increasing sophistication of phishing attacks that leverage social engineering and technical obfuscation to bypass security measures. Users are advised to exercise caution when receiving unsolicited emails, especially those requesting the download of files or directing to unfamiliar websites. Verifying the authenticity of such communications through official channels is crucial to prevent falling victim to these attacks.
As cyber threats continue to evolve, it’s imperative for individuals and organizations to stay informed about emerging tactics used by attackers. Implementing robust security practices, such as regular software updates, employee training on phishing recognition, and the use of advanced threat detection solutions, can significantly reduce the risk of infection.
