On March 17th, a Reddit thread surfaced where multiple eFile.com users suspected the website was “hijacked.” At the time, the website showed an SSL error message that, some suspected, was fake and indicative of a hack. Turns out that’s indeed the case. […] The malicious JavaScript file ‘update.js’, further attempts to prompt users to download next stage payload, depending on whether they are using Chrome [update.exe – VirusTotal] or Firefox [installer.exe – VirusTotal]. Antivirus products have already started flagging these executables as trojans.
BleepingComputer has independently confirmed these binaries establish a connection to a Tokyo-based IP address, 47.245.6.91, that appears to be hosted with Alibaba. The same IP also hosts the illicit domain, infoamanewonliag[.]online associated with this incident. Security research group, MalwareHunterTeam further analyzed these binaries, and stated that these contain Windows botnets written in PHP — a fact that the research group mocked. Additionally, the group called out eFile.com for leaving the malicious code on its website for weeks: “So, the website of [efile.com]… got compromised at least around middle of March & still not cleaned,” writes MalwareHunterTeam.
Read more of this story at Slashdot.