Note, this security incident specifically concerns eFile.com and not identical sounding domains or .
Just in time for tax season
The development comes at a crucial time when U.S. taxpayers are wrapping up their IRS tax returns before the April 18th due date.
The use of Math.random() at the end is likely to prevent caching and load a fresh copy of the malware—should the threat actor make any changes to it, every time eFile.com is visited. At the time of writing, the endpoint was no longer up.
As of today, the file is no longer seen serving the malicious code.
Website ‘hijacked’ over 2 weeks ago
On March 17th, a Reddit surfaced where multiple eFile.com users suspected the website was “hijacked.”
At the time, the website showed an SSL error message that, some suspected, appeared to be fake:
Turns out that’s indeed the case. Researchers spotted an additional file ‘update.js’ associated with this attack which was being served by an Amazon AWS endpoint.
BleepingComputer has obtained the so-called ‘update.js’ and we noticed the fake SSL error message present as base64-encoded HTML code (highlighted below) inside of it:
An HTML excerpt from the decoded string generating the fake SSL error is shown below:
BleepingComputer has independently confirmed these binaries establish a connection to a Tokyo-based IP address, 18.104.22.168, that appears to be hosted with Alibaba. The same IP also hosts the illicit domain, infoamanewonliag[.]online associated with this issue.
Security research group named MalwareHunterTeam, who further analyzed these binaries, these contain Windows botnets written in PHP—a fact the research group mocked. Additionally, they called out eFile.com for leaving the malicious code on its website for weeks:
“So, the website of [efile.com]… got compromised at least around middle of March & still not cleaned,” MalwareHunterTeam.
Referring to a Reddit thread, they further said, “…even the payloads serving domain was mentioned 15 days ago already. How this not got more attention yet?”
Dr. Johannes Ulrich of SANS Institute has also released of the issue.
The full scope of this incident, including if the attack successfully infected any eFile.com visitors and customers, remains yet to be learned.
BleepingComputer has approached eFile.com with questions well before publishing.
In January 2022, the LockBit ransomware gang eFile.com. At the time, BleepingComputer did not receive a response from the company confirming or denying an attack.