Corner purple 2 FINAL

Tax Return Customer Campaign Attempts to Infect Victims with Sorillus RAT

Threat actors are posing as businesses and individuals seeking tax preparation services and then providing copies of the Sorillus client remote access tool (RAT).

With the US tax deadline looming, inboxes everywhere are awash in a sea of messages advising their users to exercise caution and due diligence to prevent fraud and identity theft.

If receiving and downloading files is necessary for business functions, it becomes difficult to avoid downloading a malicious file. Some measure of risk is unavoidable, especially if data must be received early in the process of establishing a new client relationship—as is the case for CPAs and tax preparation service providers.

The threat intelligence team at Abnormal Security recently observed a timely campaign targeting accounting and tax professionals.

Tax Customer Lure

Between February 24, 2022, and March 4, 2022, we identified more than 130 emails from threat actors posing as potential clients. The emails claimed the sender was attempting to locate a CPA ahead of April’s deadline and obtain individual or business tax filing services for this year. However, each email delivered not the promised tax documents but instead an obfuscated version of the remote access tool (RAT) Sorillus.

Initial Contact from impersonation attacker to deliver remote access tool Sorillus

Initial contact by bad actors with potential victim

After initial contact with the service provider was made, the actors sent follow-up messages containing a mega[.]nz file share link to Sorillus RAT. The link was hiding underneath the text, pretending to be a simple PDF file attachment.

Fake PDF link that is a mega[.]nz file share link to Sorillus RAT

Email with “DAVE_AN1040.PDF” text hiding suspicious mega[.]nz file-sharing link

Emails were sent from 10 different addresses but were easily identifiable because the subject lines of the emails followed a similar pattern. Each referenced business and individual tax documents appropriate for the service supposedly being offered.

Threat Analysis

Mega[.]nz was used to send the malicious file as an anti-detection technique, and upon visiting the supplied link, a file masquerading as a PDF named “DAVE_AN1040.PDF” was downloaded. In reality, though, the file was a .ZIP archive containing a .JAR file.

Sorillus RAT Malicious JAR File inside ZIP archive

Malicious .JAR file inside ZIP archive posing as a PDF

The .JAR file had two packages, obfuscated with what appears to be the Zelix obfuscator.

Decompiled JAR File

Decompiled .JAR file

Even with the obfuscation, the name of the first package is in clear text, com.sorillus.client. Sorillus is a RAT that runs in Windows, Linux, and Mac OS, as we can see after some deobfuscation.

Java class identifying Remote Access tool's compatible OS

Java class identifying different compatible operating systems

The tool is able to collect the victim’s system information including hardware ID, username, language, webcam, and OS.

Sorillus RAT Java collection parameters

Java class with the parameters to collect

When deployed against a victim, Sorillus establishes the connection with its command and control (C2). In this case, the IP address was 78[.]142[.]18[.]37. The purpose of this C2 connection is to give the threat actor full control of the victim’s operating system.

According to VirusTotal, the C2 IP address is associated with HostSlick, a web hosting company based in Germany, and has previously been linked to five other malicious samples similar to the Sorillus RAT we analyzed. Currently, the domain justinblairinc[.]com, which may be impersonating a US-based manufacturer and distributor of shoe store supplies, is also hosted on this IP address.

Sorillus RAT connection to C2 IP address

Sorillus RAT connection to C2 IP address

Sorillus RAT Network Traffic

Example of network traffic

Once the malware has successfully connected to the C2, remote access is established and the threat actor is able to start stealing information. Stolen information is encrypted and stored in the victim’s Temp directory until it is extracted by the attacker.

Sorillus RATs stolen information

Stolen information stored in the Temp directory

Encrypted information stolen by Sorillus RAT

Example of encrypted stolen information

What Is the Sorillus RAT?

Sorillus RAT homepage

Sorillus homepage

Sorillus is a paid remote access tool (RAT) that offers obfuscation and encryption capabilities. While it was first created in 2019, interest in the tool has increased considerably in the last six months since the previous update.

Beginning on January 18, 2022, different obfuscated client versions of the tool started to be uploaded to VirusTotal. Sorillus’ features are described in detail on its website. The tool’s creator and distributor, a YouTube user known as “Tapt”, asserts that the tool is able to collect the following information from its target:

  • HardwareID

  • Username

  • Country

  • Language

  • Webcam

  • Headless

  • Operating system

  • Client Version

Active on YouTube since April 2015, all of Tapt’s recent posts are exclusively videos describing Sorillus RAT and its functions. Overall, their channel has received almost 75K views, and the timing of their videos is consistent with updates made to the tool.

TAPT Youtube channel

Tapt’s YouTube Channel

The recently-identified malicious activities associated with this RAT are related mainly to information stealing. However, due to Sorillus’ ability to bundle its client code with any other java code, the range of malicious actions the tool can take is broad.

Sorillus RAT website featuring product interface

Screenshot showing three different Sorillus tool interfaces

The tool supposedly costs 49.99€ for lifetime access but is currently available at a discounted 19.99€. Conveniently, the Sorillus can be purchased via a variety of cryptocurrencies.

Sorillus RAT Payment method options

Payment methods for Sorillus

Protecting Yourself From the Sorillus RAT

For accounting and tax professionals, digital file sharing is a necessity. If you primarily receive documents via email (as opposed to having clients upload them to a secure portal), you must take precautions to reduce your risk of downloading malicious files.

One simple step is to avoid opening any attachments or links in emails sent from new or prospective clients until you (or a member of your staff) have spoken with the client directly. Another effective option is to upgrade your email security. To learn more about how Abnormal can stop these attacks before they reach you, request a demo of the platform.

Indicators of Compromise (IOCs)

1c7e5f54c879637967ec6937dee9f18afe33a7be71449d4ecdca8c8903e2a97b

jar

70a8cdbf0aacd885ec30d3c7632cf7fd4f4fe5814504c0dc7da92feb9ee37861

zip

78[.]142[.]18[.]37

C2

ililililililiilililili

string

davidans1[@]delveroiin[.]com

email

rayjames1101[@]gmail[.]com

email

dexatri[.]com

domain

begrino[.]com

domain

delveroiin[.]com

domain

Image

Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 05 11 22 Scaling Out Redis
As we’ve scaled our customer base, the size of our datasets has also grown. With our rapid expansion, we were on track to hit the data storage limit of our Redis server in two months, so we needed to figure out a way to scale beyond this—and fast!
Read More
B 05 17 22 Impersonation Attack
See how threat actors used a single mailbox compromise and spoofed domains to subtly impersonate individuals and businesses to coerce victims to pay fraudulent vendor invoices.
Read More
B 05 14 22 Best Workplace
We are over the moon to announce Abnormal has been named one of Inc. Magazine's Best Workplaces of 2022! Learn more about our commitment to our workforce.
Read More
B 05 13 22 Spring Product Release
This quarter, the team at Abnormal launched new features to improve lateral attack detection, role-based access control (RBAC), and explainable AI. Take a deep dive into all of the latest product enhancements.
Read More
B 05 11 22 Champion Finalist
Abnormal has been selected as a Security Customer Champion finalist in the Microsoft Security Excellence Awards! Here’s a look at why.
Read More
Blog series c cover
When we raised our Series B funding 18 months ago, I promised our customers greater value, more capabilities, and better customer support. We’ve delivered on each of those promises and as we receive an even larger investment, I’m excited about how we can continue to further deliver on each of them.
Read More
B 05 09 22 Partner Community
It’s an honor to be named one of CRN’s 2022 Women of the Channel. Here’s why I appreciate the award and what I love about being a Channel Account Manager at Abnormal.
Read More
B 05 05 22 Fast Facts
Watch this short video to learn current trends and key issues in cloud email security, including how to protect your organization against modern threats.
Read More
B 05 03 22
Like all threats in the cyber threat landscape, ransomware will continue to evolve over time. This post builds on our prior research and looks at the changes we observed in the ransomware threat landscape in the first quarter of 2022.
Read More
B 04 28 22 8 Key Differences
At Abnormal, we pride ourselves on our excellent machine learning engineering team. Here are some patterns we use to distinguish between effective and ineffective ML engineers.
Read More
B 04 26 22 Webinar Re Replacing Your SEG
Learn how Microsoft 365 and Abnormal work together to provide comprehensive defense-in-depth protection in part two of our webinar recap.
Read More
Blog mitigate threats cover
Learn about the most common socially-engineered attacks and why these tactics are still so successful—despite a growing awareness from employees.
Read More