Cybersecurity researchers have discovered an ongoing campaign targeting users in India using multi-stage backdoors as part of a suspected cyber espionage campaign.
According to the eSentire Threat Response Unit (TRU), this activity involves using phishing emails impersonating the Indian Income Tax Department to trick victims into downloading malicious archives, ultimately granting threat actors persistent access to their machines for continuous monitoring and data exfiltration.
The ultimate goal of this sophisticated attack is to deploy a variant of a known banking Trojan called Blackmoon (also known as KRBanker) and a legitimate enterprise tool called SyncFuture TSM (Terminal Security Management) developed by the Chinese company Nanjing Zhongke Huasai Technology Co., Ltd. This campaign is not the work of any known attacker or group.
“Although marketed as a legitimate corporate tool, it has been repurposed in this campaign as a powerful all-in-one espionage framework,” eSentire said. “By deploying this system as a final payload, attackers gain a rich set of capabilities to establish resilient persistence, monitor victim activity, and centrally manage the theft of sensitive information.”
The ZIP file distributed through the fake tax bill contains five different files, all hidden except for an executable file (“Inspection Document Review.exe”) that is used to sideload the malicious DLL present within the archive. The DLL implements checks to detect delays caused by the debugger and connects to an external server to retrieve the next stage payload.
The downloaded shellcode uses COM-based techniques to bypass User Account Control (UAC) prompts and gain administrative privileges. It also flies under the radar by modifying its own Process Environment Block (PEB) to disguise itself as a legitimate Windows “explorer.exe” process.
Additionally, it gets the next stage ‘180.exe’ from ‘eaxwwyr’.[.]cn” domain. A 32-bit Inno setup installer that adjusts its behavior based on whether the Avast Free Antivirus process (‘AvastUI.exe’) is running on the compromised host.
Once a security program is detected, the malware uses automatic mouse simulation to manipulate Avast’s interface and add malicious files to the exclusion list without disabling the antivirus engine and bypassing detection. This is accomplished through a DLL that is assessed as a variant of the Blackmoon malware family, which is known to target businesses in South Korea, the United States, and Canada. This issue first surfaced in September 2015.
The file added to the exclusion list is an executable file named “Setup.exe”. This is a utility from SyncFutureTec Company Limited, designed to write “mysetup.exe” to disk. The latter is rated as SyncFuture TSM, a commercial tool with remote monitoring and management (RMM) capabilities.
By exploiting legitimate products, the attackers behind the campaign gain the ability to remotely control infected endpoints, log user activities, and steal sensitive data. Following the execution of the executable, other files are also deployed.
Batch scripts that create custom directories and modify access control lists (ACLs) to grant permissions to all users Batch scripts that manipulate user permissions on desktop folders Batch scripts that perform cleanup and restore operations An executable file called “MANC.exe” that orchestrates various services and enables extensive logging
“It not only steals data, but provides tools to exercise fine-grained control over compromised environments, monitor user activity in real-time, and ensure its own persistence,” eSentire said. “Through a combination of analytical countermeasures, privilege escalation, DLL sideloading, repurposing of commercial tools, and security software evasion, threat actors demonstrate both their capabilities and intent.”
Source link
