Indian Users Targeted in Tax-Themed Phishing Campaign Delivering Blackmoon Malware
Cybersecurity researchers have identified an ongoing cyber espionage campaign targeting Indian users through sophisticated phishing emails. These emails, masquerading as communications from India’s Income Tax Department, aim to deceive recipients into downloading malicious files, thereby granting attackers persistent access to their systems for continuous monitoring and data exfiltration.
The primary objective of this attack is to deploy a variant of the Blackmoon banking trojan, also known as KRBanker, alongside a legitimate enterprise tool called SyncFuture TSM (Terminal Security Management). Developed by Nanjing Zhongke Huasai Technology Co., Ltd, a Chinese company, SyncFuture TSM is repurposed in this campaign as a comprehensive espionage framework. By leveraging this tool, attackers establish resilient persistence and gain a rich feature set to monitor victim activity and centrally manage the theft of sensitive information.
Attack Methodology:
1. Phishing Emails: Victims receive emails that appear to be from the Income Tax Department of India, prompting them to download a ZIP file under the pretense of reviewing tax-related documents.
2. Malicious Archive: The downloaded ZIP file contains five hidden files, with the exception of an executable named Inspection Document Review.exe. When executed, this file sideloads a malicious DLL included in the archive.
3. Anti-Analysis Measures: The malicious DLL performs checks to detect debugging tools and delays, ensuring it operates undetected. It then contacts an external server to fetch the next-stage payload.
4. Privilege Escalation: The downloaded shellcode employs a COM-based technique to bypass the User Account Control (UAC) prompt, gaining administrative privileges. It also modifies its own Process Environment Block (PEB) to masquerade as the legitimate Windows explorer.exe process, evading detection.
5. Payload Deployment: The malware retrieves a file named 180.exe from a remote domain. This 32-bit Inno Setup installer adjusts its behavior based on the presence of Avast Free Antivirus on the compromised system.
6. Antivirus Evasion: If Avast is detected, the malware uses automated mouse simulation to navigate the antivirus interface and add malicious files to its exclusion list without disabling the antivirus engine. This is achieved through a DLL identified as a variant of the Blackmoon malware family, known for targeting businesses in South Korea, the U.S., and Canada since its emergence in September 2015.
7. Legitimate Tool Abuse: The malware adds an executable named Setup.exe to the exclusion list. This utility, from SyncFutureTec Company Limited, writes mysetup.exe to disk, which is assessed to be SyncFuture TSM. By abusing this legitimate tool, attackers gain the ability to remotely control infected endpoints, record user activities, and exfiltrate data of interest.
8. Additional Components: Following the execution of the executable, other files are deployed, including batch scripts that create custom directories, modify Access Control Lists (ACLs) to grant permissions to all users, manipulate user permissions on Desktop folders, perform cleanup and restoration operations, and an executable called MANC.exe that orchestrates different services and enables extensive logging.
Implications and Recommendations:
This campaign underscores the evolving tactics of cybercriminals who blend legitimate tools with malicious code to achieve their objectives. By repurposing SyncFuture TSM, attackers not only gain extensive control over compromised systems but also complicate detection efforts due to the tool’s legitimate origins.
To mitigate such threats, users and organizations are advised to:
– Exercise Caution with Emails: Be wary of unsolicited emails, especially those requesting the download of files or providing links to external sites.
– Verify Sources: Confirm the authenticity of communications from official entities by contacting them through established channels.
– Maintain Updated Security Software: Ensure that antivirus and anti-malware solutions are up-to-date and configured to detect and prevent sideloading attacks.
– Educate Employees: Conduct regular training sessions to inform staff about phishing tactics and the importance of cybersecurity hygiene.
– Implement Multi-Factor Authentication (MFA): Enhance security by requiring multiple forms of verification before granting access to sensitive systems.
By adopting these measures, individuals and organizations can bolster their defenses against sophisticated phishing campaigns and the deployment of malicious software.
