image
Cybercriminals are ready for tax season with new malware designed to exfiltrate Quickbooks data and post it on the internet, according to a new report from ThreatLocker. Attackers use email to deliver the malware, which the ThreatLocker’s CEO Danny Jenkins told Threatpost is a simple, 15-line piece of code. There are two specific methods attackers used to get the malware to targets: The first is to send a PowerShell command to exfiltrate the data; and the second is to use a Word document to deliver a link or macro to retrieve a file. After that, the stolen files are sent to the internet, where they’re up for grabs. “Once the executable or PowerShell command is running, it retrieves your most recently saved Quickbooks’ file location, points to your file share or local file, and proceeds to upload your file to the internet,” the report said. Jump in PowerShell Access to Quickbooks Jenkins added that ThreatLocker has seen a six- to seven-times increase in instances of PowerShell accessing QuickBooks in recent weeks. A QuickBooks default permissions setting makes things extra-easy for attackers, according to the firm. “When Quickbooks is on a file server, you are required to use a Quickbooks Database Server Manager, the report said. “When carrying out a repair, file permissions are reset and the ‘everyone’ group is added to the permission. As a result, access to the database is left wide open and this is a major security concern. ” Jenkins said he was able to reverse engineer…

Source