Corner purple 2 FINAL

Tax Return Customer Campaign Attempts to Infect Victims with Sorillus RAT

Threat actors are posing as businesses and individuals seeking tax preparation services and then providing copies of the Sorillus client remote access tool (RAT).

With the US tax deadline looming, inboxes everywhere are awash in a sea of messages advising their users to exercise caution and due diligence to prevent fraud and identity theft.

If receiving and downloading files is necessary for business functions, it becomes difficult to avoid downloading a malicious file. Some measure of risk is unavoidable, especially if data must be received early in the process of establishing a new client relationship—as is the case for CPAs and tax preparation service providers.

The threat intelligence team at Abnormal Security recently observed a timely campaign targeting accounting and tax professionals.

Tax Customer Lure

Between February 24, 2022, and March 4, 2022, we identified more than 130 emails from threat actors posing as potential clients. The emails claimed the sender was attempting to locate a CPA ahead of April’s deadline and obtain individual or business tax filing services for this year. However, each email delivered not the promised tax documents but instead an obfuscated version of the remote access tool (RAT) Sorillus.

Initial Contact from impersonation attacker to deliver remote access tool Sorillus

Initial contact by bad actors with potential victim

After initial contact with the service provider was made, the actors sent follow-up messages containing a mega[.]nz file share link to Sorillus RAT. The link was hiding underneath the text, pretending to be a simple PDF file attachment.

Fake PDF link that is a mega[.]nz file share link to Sorillus RAT

Email with “DAVE_AN1040.PDF” text hiding suspicious mega[.]nz file-sharing link

Emails were sent from 10 different addresses but were easily identifiable because the subject lines of the emails followed a similar pattern. Each referenced business and individual tax documents appropriate for the service supposedly being offered.

Threat Analysis

Mega[.]nz was used to send the malicious file as an anti-detection technique, and upon visiting the supplied link, a file masquerading as a PDF named “DAVE_AN1040.PDF” was downloaded. In reality, though, the file was a .ZIP archive containing a .JAR file.

Sorillus RAT Malicious JAR File inside ZIP archive

Malicious .JAR file inside ZIP archive posing as a PDF

The .JAR file had two packages, obfuscated with what appears to be the Zelix obfuscator.

Decompiled JAR File

Decompiled .JAR file

Even with the obfuscation, the name of the first package is in clear text, com.sorillus.client. Sorillus is a RAT that runs in Windows, Linux, and Mac OS, as we can see after some deobfuscation.

Java class identifying Remote Access tool's compatible OS

Java class identifying different compatible operating systems

The tool is able to collect the victim’s system information including hardware ID, username, language, webcam, and OS.

Sorillus RAT Java collection parameters

Java class with the parameters to collect

When deployed against a victim, Sorillus establishes the connection with its command and control (C2). In this case, the IP address was 78[.]142[.]18[.]37. The purpose of this C2 connection is to give the threat actor full control of the victim’s operating system.

According to VirusTotal, the C2 IP address is associated with HostSlick, a web hosting company based in Germany, and has previously been linked to five other malicious samples similar to the Sorillus RAT we analyzed. Currently, the domain justinblairinc[.]com, which may be impersonating a US-based manufacturer and distributor of shoe store supplies, is also hosted on this IP address.

Sorillus RAT connection to C2 IP address

Sorillus RAT connection to C2 IP address

Sorillus RAT Network Traffic

Example of network traffic

Once the malware has successfully connected to the C2, remote access is established and the threat actor is able to start stealing information. Stolen information is encrypted and stored in the victim’s Temp directory until it is extracted by the attacker.

Sorillus RATs stolen information

Stolen information stored in the Temp directory

Encrypted information stolen by Sorillus RAT

Example of encrypted stolen information

What Is the Sorillus RAT?

Sorillus RAT homepage

Sorillus homepage

Sorillus is a paid remote access tool (RAT) that offers obfuscation and encryption capabilities. While it was first created in 2019, interest in the tool has increased considerably in the last six months since the previous update.

Beginning on January 18, 2022, different obfuscated client versions of the tool started to be uploaded to VirusTotal. Sorillus’ features are described in detail on its website. The tool’s creator and distributor, a YouTube user known as “Tapt”, asserts that the tool is able to collect the following information from its target:

  • HardwareID

  • Username

  • Country

  • Language

  • Webcam

  • Headless

  • Operating system

  • Client Version

Active on YouTube since April 2015, all of Tapt’s recent posts are exclusively videos describing Sorillus RAT and its functions. Overall, their channel has received almost 75K views, and the timing of their videos is consistent with updates made to the tool.

TAPT Youtube channel

Tapt’s YouTube Channel

The recently-identified malicious activities associated with this RAT are related mainly to information stealing. However, due to Sorillus’ ability to bundle its client code with any other java code, the range of malicious actions the tool can take is broad.

Sorillus RAT website featuring product interface

Screenshot showing three different Sorillus tool interfaces

The tool supposedly costs 49.99€ for lifetime access but is currently available at a discounted 19.99€. Conveniently, the Sorillus can be purchased via a variety of cryptocurrencies.

Sorillus RAT Payment method options

Payment methods for Sorillus

Protecting Yourself From the Sorillus RAT

For accounting and tax professionals, digital file sharing is a necessity. If you primarily receive documents via email (as opposed to having clients upload them to a secure portal), you must take precautions to reduce your risk of downloading malicious files.

One simple step is to avoid opening any attachments or links in emails sent from new or prospective clients until you (or a member of your staff) have spoken with the client directly.

Indicators of Compromise (IOCs)

1c7e5f54c879637967ec6937dee9f18afe33a7be71449d4ecdca8c8903e2a97b

jar

70a8cdbf0aacd885ec30d3c7632cf7fd4f4fe5814504c0dc7da92feb9ee37861

zip

78[.]142[.]18[.]37

C2

ililililililiilililili

string

davidans1[@]delveroiin[.]com

email

rayjames1101[@]gmail[.]com

email

dexatri[.]com

domain

begrino[.]com

domain

delveroiin[.]com

domain

Image

Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

0
Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 10 3 22 Cobalt Terrapin Blog
Threat group Cobalt Terrapin uses sophisticated impersonation techniques with multiple steps to commit invoice fraud.
Read More
B 09 29 22 CISO Cybersecurity Awareness Month
October is here, which means Cybersecurity Awareness Month is officially in full swing! These five tips can help security leaders take full advantage of the month.
Read More
B Email Security Challenges Blog 09 26 22
Understanding common email security challenges caused by your legacy technology will help you determine the best solution to improve your security posture.
Read More
B 5 Crucial Tips
Retailers are a popular target for threat actors due to their wealth of customer data and availability of funds. Here are 5 cybersecurity tips to help retailers reduce their risk of attack.
Read More
B 3 Essential Elements
Legacy approaches to managing unwanted mail are neither practical nor scalable. Learn the 3 essential elements of modern, effective graymail management.
Read More
B Back to School
Discover how threat group Chiffon Herring leverages impersonation and spoofed email addresses to divert paychecks to mule accounts.
Read More
B 09 06 22 Rearchitecting a System Blog
We recently shared a look at how the Abnormal engineering team overhauled our Unwanted Mail service architecture to accommodate our rapid growth. Today, we’re diving into how the team migrated traffic to the new architecture—with zero downtime.
Read More
B Industry Leading CIS Os
Stay up to date on the latest cybersecurity trends, industry news, and best practices by following these 12 innovative and influential thought leaders on social media.
Read More
B Podcast Engineering 11 08 24 22
In episode 11 of Abnormal Engineering Stories, David Hagar, Director of Engineering and Abnormal Head of UK Engineering, continues his conversation with Zehan Wang, co-founder of Magic Pony.
Read More