Tax Return Customer Campaign Attempts to Infect Victims with Sorillus RAT

Threat actors are posing as businesses and individuals seeking tax preparation services and then providing copies of the Sorillus client remote access tool (RAT).
April 6, 2022

With the US tax deadline looming, inboxes everywhere are awash in a sea of messages advising their users to exercise caution and due diligence to prevent fraud and identity theft.

If receiving and downloading files is necessary for business functions, it becomes difficult to avoid downloading a malicious file. Some measure of risk is unavoidable, especially if data must be received early in the process of establishing a new client relationship—as is the case for CPAs and tax preparation service providers.

The threat intelligence team at Abnormal Security recently observed a timely campaign targeting accounting and tax professionals.

Tax Customer Lure

Between February 24, 2022, and March 4, 2022, we identified more than 130 emails from threat actors posing as potential clients. The emails claimed the sender was attempting to locate a CPA ahead of April’s deadline and obtain individual or business tax filing services for this year. However, each email delivered not the promised tax documents but instead an obfuscated version of the remote access tool (RAT) Sorillus.

Initial Contact from impersonation attacker to deliver remote access tool Sorillus

Initial contact by bad actors with potential victim

After initial contact with the service provider was made, the actors sent follow-up messages containing a mega[.]nz file share link to Sorillus RAT. The link was hiding underneath the text, pretending to be a simple PDF file attachment.

Fake PDF link that is a mega[.]nz file share link to Sorillus RAT

Email with “DAVE_AN1040.PDF” text hiding suspicious mega[.]nz file-sharing link

Emails were sent from 10 different addresses but were easily identifiable because the subject lines of the emails followed a similar pattern. Each referenced business and individual tax documents appropriate for the service supposedly being offered.

Threat Analysis

Mega[.]nz was used to send the malicious file as an anti-detection technique, and upon visiting the supplied link, a file masquerading as a PDF named “DAVE_AN1040.PDF” was downloaded. In reality, though, the file was a .ZIP archive containing a .JAR file.

Sorillus RAT Malicious JAR File inside ZIP archive

Malicious .JAR file inside ZIP archive posing as a PDF

The .JAR file had two packages, obfuscated with what appears to be the Zelix obfuscator.

Decompiled JAR File

Decompiled .JAR file

Even with the obfuscation, the name of the first package is in clear text, com.sorillus.client. Sorillus is a RAT that runs in Windows, Linux, and Mac OS, as we can see after some deobfuscation.

Java class identifying Remote Access tool's compatible OS

Java class identifying different compatible operating systems

The tool is able to collect the victim’s system information including hardware ID, username, language, webcam, and OS.

Sorillus RAT Java collection parameters

Java class with the parameters to collect

When deployed against a victim, Sorillus establishes the connection with its command and control (C2). In this case, the IP address was 78[.]142[.]18[.]37. The purpose of this C2 connection is to give the threat actor full control of the victim’s operating system.

According to VirusTotal, the C2 IP address is associated with HostSlick, a web hosting company based in Germany, and has previously been linked to five other malicious samples similar to the Sorillus RAT we analyzed. Currently, the domain justinblairinc[.]com, which may be impersonating a US-based manufacturer and distributor of shoe store supplies, is also hosted on this IP address.

Sorillus RAT connection to C2 IP address

Sorillus RAT connection to C2 IP address

Sorillus RAT Network Traffic

Example of network traffic

Once the malware has successfully connected to the C2, remote access is established and the threat actor is able to start stealing information. Stolen information is encrypted and stored in the victim’s Temp directory until it is extracted by the attacker.

Sorillus RATs stolen information

Stolen information stored in the Temp directory

Encrypted information stolen by Sorillus RAT

Example of encrypted stolen information

What Is the Sorillus RAT?

Sorillus RAT homepage

Sorillus homepage

Sorillus is a paid remote access tool (RAT) that offers obfuscation and encryption capabilities. While it was first created in 2019, interest in the tool has increased considerably in the last six months since the previous update.

Beginning on January 18, 2022, different obfuscated client versions of the tool started to be uploaded to VirusTotal. Sorillus’ features are described in detail on its website. The tool’s creator and distributor, a YouTube user known as “Tapt”, asserts that the tool is able to collect the following information from its target:

  • HardwareID

  • Username

  • Country

  • Language

  • Webcam

  • Headless

  • Operating system

  • Client Version

Active on YouTube since April 2015, all of Tapt’s recent posts are exclusively videos describing Sorillus RAT and its functions. Overall, their channel has received almost 75K views, and the timing of their videos is consistent with updates made to the tool.

TAPT Youtube channel

Tapt’s YouTube Channel

The recently-identified malicious activities associated with this RAT are related mainly to information stealing. However, due to Sorillus’ ability to bundle its client code with any other java code, the range of malicious actions the tool can take is broad.

Sorillus RAT website featuring product interface

Screenshot showing three different Sorillus tool interfaces

The tool supposedly costs 49.99€ for lifetime access but is currently available at a discounted 19.99€. Conveniently, the Sorillus can be purchased via a variety of cryptocurrencies.

Sorillus RAT Payment method options

Payment methods for Sorillus

Protecting Yourself From the Sorillus RAT

For accounting and tax professionals, digital file sharing is a necessity. If you primarily receive documents via email (as opposed to having clients upload them to a secure portal), you must take precautions to reduce your risk of downloading malicious files.

One simple step is to avoid opening any attachments or links in emails sent from new or prospective clients until you (or a member of your staff) have spoken with the client directly.

Indicators of Compromise (IOCs)



















Tax Return Customer Campaign Attempts to Infect Victims with Sorillus RAT

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Posts

B Complex Case of Account Compromise Blog
Discover how Abnormal helped one organization detect the sophisticated tactics an attacker used to compromise an employee's email account.
Read More
B Cross Platform Account Takeover
Discover the dangers of cross-platform account takeover, the challenges of detecting this attack, and how to implement proactive protection against ATO.
Read More
B 5 17 24 Legal
Learn how cybercriminals use superficial disclaimers to deceive others while facilitating illegal activity on cybercrime forums.
Read More
B Cybersecurity Influencers Blog 2024
Stay up to date on the latest cybersecurity trends, industry news, and best practices by following these 15 innovative and influential thought leaders on social media.
Read More
B 5 13 24 Docusign
Cybercriminals are abusing Docusign by selling customizable phishing templates on cybercrime forums, allowing attackers to steal credentials for phishing and business email compromise (BEC) scams.
Read More
Abnormal employees honored as CRN 2024 Women of the Channel for their influential leadership in the tech industry.
Read More