Cyber Incident Victim: eFile.com
Date:
Mar 2023
Location:
United States of America
Summary
An IRS-authorized tax filing service provider was compromised to deliver JavaScript malware across its website, loading a malicious script that connected to an external domain to fetch additional payloads. The attackers deployed fake SSL error messages and prompted users to download trojanized executables, which established connections to a Tokyo-based server and installed a PHP-based backdoor enabling remote command execution, data exfiltration, and potential lateral movement within networks. Security researchers confirmed the malicious activity persisted for weeks, leveraging compromised website resources to distribute initial access malware capable of facilitating credential theft or further network compromise, though infection outcomes remain unconfirmed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In March 2023, eFile.com—an IRS-authorized tax filing service—was observed distributing malicious JavaScript malware via its website for several weeks, with evidence confirming its presence through at least April 1st. Security researchers first noted an additional file named 'popper.js' being loaded on nearly every page of the eFile.com site, containing base64-encoded code that attempted to load secondary JavaScript from the domain infoamanewonliag[.]online. This domain resolved to an Alibaba-hosted Tokyo IP address (47.245.6.91). The script appended a randomly generated parameter to bypass caching, likely to fetch fresh malware iterations dynamically. Initial user reports surfaced on March 17th via a Reddit thread where visitors encountered a fake SSL error, later confirmed as an artifact of compromise. Further analysis revealed an additional malicious file, 'update.js', which contained the fake SSL error text as base64-encoded HTML and attempted to deliver OS-specific payloads—Chrome users received 'update.exe', and Firefox users received 'installer.exe'. Antivirus vendors flagged these executables as trojans. Security analysts identified these payloads as Windows botnets written in PHP, establishing connections to the same Tokyo-based C2 infrastructure.
The attack chain leveraged these downloads to deploy a backdoor PHP script on victim devices. The malware beaconed to its C2 server every ten seconds, enabling attackers to remotely execute commands, retrieve command outputs, and download additional files. This granted threat actors initial access to compromised devices, with potential for lateral movement, credential theft, data exfiltration, or further malware proliferation. Researchers attributed the website compromise timeline to mid-March, noting the domain infoamanewonliag[.]online was mentioned in public reports 15 days before broader attention emerged. eFile.com removed the malicious JavaScript by early April, but the scale of successful infections remained unverified. Historical context indicated prior claims of an attack on eFile.com by the LockBit ransomware group in January 2022, though no official confirmation was provided. Operational impacts included prolonged exposure of users to malware during peak tax-filing season, with no public containment or remediation details disclosed by the vendor beyond script removal.