This tax-themed malvertising attack can blind security software before it arrives — and then unleashes ransomware

Cybercriminals are once again taking advantage of the short deadline for the upcoming tax filing window to deploy malware and ransomware to people’s computers, experts have warned.

The April 15 tax deadline, also simply called Tax Day, is the last day most Americans have to file their federal income tax return and pay any taxes they owe.

Since many wait until the very last moment to address this problem, they rush to get it done and, as security researchers Huntress say, “trust the first Google result they see.”

No bragging rights

Huntress says it is seeing an increase in people searching for specific US tax forms, such as W-2 or W-9. Hackers are leveraging this fact, creating fake landing pages and promoting them through Google Ads.

Therefore, when people search for these terms, they often land on malicious pages where they are served ScreenConnect (now commonly branded as ConnectWise Control), a legitimate remote access tool often used for malicious purposes.

The researchers are saying the attack targets all sorts of people, from employees, freelancers, and contractors to small businesses. Before running the remote access tool, the attackers first drop a kernel driver that disables security tools such as Windows Defender.

“Across our customer base, we reported over 60 instances of rogue ScreenConnect sessions tied to this campaign being used as the initial access vector,” Huntress stressed.

While the tax-themed lure is currently trendy, it’s not the only method being used. Huntress says it also saw a fake Chrome update page with JavaScript comments in Russian, “suggesting a broader social engineering toolkit and a Russian-speaking developer.”

The campaign seems to be just the first step in a multi-stage attack. At this stage, the crooks are establishing a foothold and harvesting credentials, likely in preparation of ransomware deployment.