# Tax Return Customer Campaign Attempts to Infect Victims with Sorillus RAT

**abnormalsecurity.com/blog/tax-customers-sorillus-rat**

[Abnormal Blog](https://abnormalsecurity.com/blog)
Threat actors are posing as businesses and individuals seeking tax preparation services and
then providing copies of the Sorillus client remote access tool (RAT).

[Threat Intel](https://abnormalsecurity.com/blog/category/threat-intel)

With the US tax deadline looming, inboxes everywhere are awash in a sea of
messages advising their users to exercise caution and due diligence to prevent
fraud and identity theft.

If receiving and downloading files is necessary for business functions, it
becomes difficult to avoid downloading a malicious file. Some measure of risk is
unavoidable, especially if data must be received early in the process of
establishing a new client relationship—as is the case for CPAs and tax
preparation service providers.

The threat intelligence team at Abnormal Security recently observed a timely
campaign targeting accounting and tax professionals.

## Tax Customer Lure


-----

Between February 24, 2022, and March 4, 2022, we identified more than 130
emails from threat actors posing as potential clients. The emails claimed the
sender was attempting to locate a CPA ahead of April’s deadline and obtain
individual or business tax filing services for this year. However, each email
delivered not the promised tax documents but instead an obfuscated version of
the remote access tool (RAT) Sorillus.

_Initial contact by bad actors with potential victim_

After initial contact with the service provider was made, the actors sent followup messages containing a mega[.]nz file share link to Sorillus RAT. The link was
hiding underneath the text, pretending to be a simple PDF file attachment.

_Email with “DAVE_AN1040.PDF” text hiding suspicious mega[.]nz file-sharing_
_link_

Emails were sent from 10 different addresses but were easily identifiable
because the subject lines of the emails followed a similar pattern. Each
referenced business and individual tax documents appropriate for the service
supposedly being offered.

## Threat Analysis

Mega[.]nz was used to send the malicious file as an anti-detection technique,
and upon visiting the supplied link, a file masquerading as a PDF named
“DAVE_AN1040.PDF” was downloaded. In reality, though, the file was a .ZIP
archive containing a .JAR file.

_Malicious .JAR file inside ZIP archive posing as a PDF_

The .JAR file had two packages, obfuscated with what appears to be the Zelix
obfuscator.

_Decompiled .JAR file_

Even with the obfuscation, the name of the first package is in clear text,
_com.sorillus.client. Sorillus is a RAT that runs in Windows, Linux, and Mac OS,_
as we can see after some deobfuscation.

_Java class identifying different compatible operating systems_

The tool is able to collect the victim’s system information including hardware ID,
username, language, webcam, and OS.

_Java class with the parameters to collect_


-----

When deployed against a victim, Sorillus establishes the connection with its
command and control (C2). In this case, the IP address was 78[.]142[.]18[.]37.
The purpose of this C2 connection is to give the threat actor full control of the
victim’s operating system.

According to [VirusTotal, the C2 IP address is associated with HostSlick, a web](https://www.virustotal.com/gui/ip-address/78.142.18.37/relations)
hosting company based in Germany, and has previously been linked to five
other malicious samples similar to the Sorillus RAT we analyzed. Currently, the
domain justinblairinc[.]com, which may be impersonating a US-based
manufacturer and distributor of shoe store supplies, is also hosted on this IP
address.

_Sorillus RAT connection to C2 IP address_

_Example of network traffic_

Once the malware has successfully connected to the C2, remote access is
established and the threat actor is able to start stealing information. Stolen
information is encrypted and stored in the victim’s Temp directory until it is
extracted by the attacker.

_Stolen information stored in the Temp directory_

_Example of encrypted stolen information_

## What Is the Sorillus RAT?

_Sorillus homepage_

Sorillus is a paid remote access tool (RAT) that offers obfuscation and
encryption capabilities. While it was first created in 2019, interest in the tool has
increased considerably in the last six months since the previous update.

Beginning on January 18, 2022, different obfuscated client versions of the tool
started to be uploaded to VirusTotal. Sorillus’ features are described in detail on
[its website. The tool’s creator and distributor, a YouTube user known as “Tapt”,](https://www.youtube.com/channel/UC3G34krDPm79lbq17ARSPyA)
asserts that the tool is able to collect the following information from its target:

HardwareID

Username

Country

Language


-----

Webcam

Headless

Operating system

Client Version

Active on YouTube since April 2015, all of Tapt’s recent posts are exclusively
videos describing Sorillus RAT and its functions. Overall, their channel has
received almost 75K views, and the timing of their videos is consistent with
updates made to the tool.

_Tapt’s YouTube Channel_

The recently-identified malicious activities associated with this RAT are related
mainly to information stealing. However, due to Sorillus’ ability to bundle its
client code with any other java code, the range of malicious actions the tool can
take is broad.

_Screenshot showing three different Sorillus tool interfaces_

The tool supposedly costs 49.99€ for lifetime access but is currently available at
a discounted 19.99€. Conveniently, the Sorillus can be purchased via a variety
of cryptocurrencies.

_Payment methods for Sorillus_

## Protecting Yourself From the Sorillus RAT

For accounting and tax professionals, digital file sharing is a necessity. If you
primarily receive documents via email (as opposed to having clients upload
them to a secure portal), you must take precautions to reduce your risk of
downloading malicious files.

One simple step is to avoid opening any attachments or links in emails sent
from new or prospective clients until you (or a member of your staff) have
spoken with the client directly.

## Indicators of Compromise (IOCs)

1c7e5f54c879637967ec6937dee9f18afe33a7be71449d4ecdca8c8903e2a97b jar


-----

70a8cdbf0aacd885ec30d3c7632cf7fd4f4fe5814504c0dc7da92feb9ee37861 zip

78[.]142[.]18[.]37 C2

ililililililiilililili string

davidans1[@]delveroiin[.]com email

rayjames1101[@]gmail[.]com email

dexatri[.]com domain

begrino[.]com domain

delveroiin[.]com domain

## See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal
Integrated Cloud Email Security.

[See a Demo](https://abnormalsecurity.com/demo)
Excessive promotional mail, also known as graymail, is impacting productivity
and employee morale. Here are 11 startling graymail statistics.

[Read More](https://abnormalsecurity.com/blog/graymail-statistics)

We’re committed to creating an environment in which young professionals can
gain valuable experience to help them in their careers. Hear about the
Abnormal internship program firsthand.

[Read More](https://abnormalsecurity.com/blog/abnormal-internship-experience)
The number of ransomware attacks continued its downward trend in Q2 2022.
Learn why and discover more about ransomware threat actors and targets.

[Read More](https://abnormalsecurity.com/blog/ransomware-landscape-continues-decline-q2-2022)
This week, we released our H2 2022 Email Threat Report, which explores the
latest email attack trends, including the rise of brand impersonation in phishing
attacks.


-----

[Read More](https://abnormalsecurity.com/blog/265-brands-impersonated-phishing-attacks)
[Read More](https://abnormalsecurity.com/blog/launching-abnormal-intelligence)
[Read More](https://abnormalsecurity.com/blog/announcing-email-productivity)
The Abnormal Security team is committed to providing the best possible
solution and support experience to every customer. Here’s what a few of our
customers have to say about us.

[Read More](https://abnormalsecurity.com/blog/gartner-peer-insights-reviews-august-2022)
In episode 10 of Abnormal Engineering Stories, David Hagar, Director of
Engineering and Abnormal Head of UK Engineering, sits down with Zehan
Wang, co-founder of Magic Pony.

[Read More](https://abnormalsecurity.com/blog/engineering-stories-examining-uk-startup-ecosystem)
[Read More](https://abnormalsecurity.com/blog/email-attack-insights-top-names-in-cybersecurity)

Credential phishing attacks can lead to loss of revenue, loss of data, and longterm reputational damage. Learn why these attacks are successful and how to
block them.

[Read More](https://abnormalsecurity.com/blog/webinar-recap-blocking-phishing-attacks)
[Read More](https://abnormalsecurity.com/blog/email-security-survey-attacks-tools-trends)
[Read More](https://abnormalsecurity.com/blog/most-damaging-financial-supply-chain-compromise-types)


-----