Please note that this security incident specifically concerns eFile.com and not identical sound domains or IRS Electronic File Infrastructure.
Just in time for tax season
The development comes at a crucial time when US taxpayers are completing their IRS tax returns ahead of the April 18 due date.
Using Math.random() at the end is likely to prevent caching and load a fresh copy of the malware – if the threat author makes changes to it, each time eFile.com is visit. At the time of writing, the endpoint was no longer operational.
As of today, the file no longer serves malicious code.
Site “hacked” more than 2 weeks ago
On March 17, a Reddit thread surfaced where several eFile.com users suspected that the website had been “hacked”.
At the time, the website displayed an SSL error message that some claimed appeared to be fake:
It turns out that is indeed the case. Researchers spotted an additional “update.js” file associated with this attack that was served by an Amazon AWS endpoint.
BleepingComputer got the so called ‘update.js’ and we noticed the fake SSL error message present as base64 encoded HTML (highlighted below) inside:
An HTML snippet of the decoded string generating the fake SSL error is shown below:
BleepingComputer has independently confirmed that these binaries establish a connection to a Tokyo-based IP address, 18.104.22.168, which appears to be hosted at Alibaba. The same IP address also hosts the illicit domain, infoamanewonliag[.]on line associated with this problem.
A security research group named MalwareHunterTeam, who then analyzed these binaries, States these contain Windows botnets written in PHP, a fact the research group mocked. Additionally, they called out eFile.com for leaving the malicious code on its website for weeks:
“So the website of [efile.com]…was compromised at least around mid-March and still hasn’t been cleaned up,” writing MalwareHunterTeam.
Referring to a Reddit thread, they further stated, “…even the area serving the payloads was already mentioned 15 days ago. How has this not gotten more attention yet ?”
Dr. Johannes Ulrich of the SANS Institute has also published analysis of the problem.
The extent of this incident, including whether the attack succeeded in infecting eFile.com visitors and customers, remains to be determined.
BleepingComputer approached eFile.com with questions long before publication.
In January 2022, the LockBit ransomware gang claimed he attacked eFile.com. At the time, BleepingComputer did not receive a response from the company confirming or denying an attack.