Full Report
Introduction Over the past few months, tax-themed phishing and malware campaigns have surged, particularly during and after the Income Tax Return (ITR) filing season. With ongoing public discussions around refund timelines, these scams appear more credible, giving attackers the perfect context to craft convincing lures. We recently analyzed emails impersonating the Indian Income Tax Department […] The post Indian Income Tax-Themed Phishing Campaign Targets Local Businesses appeared first on Blogs on Information Technology, Network & Cybersecurity | Seqrite.
Analysis Summary
# Incident Report: Indian Income Tax Themed Phishing Leading to RAT Deployment
## Executive Summary
A targeted spear-phishing campaign impersonating the Indian Income Tax Department (ITD) surged during the ITR filing season, leveraging public concerns over tax refunds to create convincing lures. The attack utilized an image-based email attachment that directed victims through a multi-stage infection chain involving a fake compliance portal, culminating in the deployment of persistent Remote Access Trojans (RATs) or infostealer malware on local business systems. The primary impact involves potential data theft and persistent unauthorized remote access achieved through obfuscated, multi-stage NSIS installers.
## Incident Details
- **Discovery Date:** The analysis of the campaign was recently published, suggesting active monitoring during the ITR season. (Specific "first detection" date not provided in the article).
- **Incident Date:** Campaign active "over the past few months," particularly during and after ITR filing season (Contextual timing).
- **Affected Organization:** Indian Businesses (Local Businesses).
- **Sector:** Varied (Implied, targeting recipients due to tax relevance).
- **Geography:** India.
## Timeline of Events
### Initial Access
- **Date/Time:** Contextually during the ITR filing season.
- **Vector:** Spear-Phishing Email (T1566.001).
- **Details:** Email spoofed as an official "Tax Compliance Review Notice" from the ITD. The body contained only an embedded image (to bypass text filters) with a fabricated reference number and deadline. It included an attachment: `Review Annexure.pdf`.
### Lateral Movement
- **Date/Time:** Post-initial execution.
- **Vector:** Embedded URL leading to a forced download.
- **Details:** The accompanying PDF instructed the user to visit a fake compliance portal (`hxxps://www.akjys.top/`). Landing on this page forced the download of `Review Annexure.zip`. This ZIP contained two-stage NSIS installers that unpacked files, bypassed security using signed binaries, and established persistence via a Windows service (`NSecRTS.exe`).
### Data Exfiltration/Impact
- **Date/Time:** Followed persistence establishment.
- **Vector:** Remote Access Tools (RATs) and data harvesting.
- **Details:** The deployed malware harvested system information (OS version, hardware details, installed applications) and communicated back to multiple C2 servers using HTTP/HTTPS and non-standard ports (e.g., 48991/48992, 3898, and port 80 fallbacks). The final stage enabled remote command and control.
### Detection & Response
- **How it was discovered:** Security researchers analyzed the suspicious emails impersonating the ITD. (External detection/analysis, not internal incident response details).
- **Response actions taken:** Analysis of the infection chain, attacker tactics, and documentation of the malware stages.
## Attack Methodology
- **Initial Access:** Spear-Phishing Link (T1566.002) via PDF attachment.
- **Persistence:** Creation of a new Windows Service (`NSecRTS.exe`) running at system boot (T1543.003, T1547.001).
- **Privilege Escalation:** Not explicitly detailed, but necessary for service installation and system discovery.
- **Defense Evasion:** Used digitally **code-signed NSIS installers** (T1553.002) from a Chinese source, obfuscated/encrypted payloads, and artifact deletion (T1070.004).
- **Credential Access:** (Not explicitly detailed, but implied by infostealer potential).
- **Discovery:** System Information Discovery (T1082) and Software Discovery (T1518).
- **Lateral Movement:** (Not explicitly detailed).
- **Collection:** Harvesting OS details, machine details, and installed applications.
- **Exfiltration:** Exfiltration Over Web Services (T1567.002) via HTTP POST to C2, scheduled transfer (T1029).
- **Impact:** Established Remote Access Tools (T1219) via the deployed service, enabling command and control.
## Impact Assessment
- **Financial:** Not specified, but potential for losses typical of RAT infections (ransomware deployment, theft leading to financial fraud).
- **Data Breach:** System telemetry, OS/hardware details, and installed software lists were harvested. Potential for further sensitive data theft if infostealers were deployed.
- **Operational:** Risk of full system compromise and remote takeover due to persistent RAT installation.
- **Reputational:** Increased risk for businesses due to association with IT compliance failure phishing templates.
## Indicators of Compromise
- **Network Indicators (Defanged):** C2 Communications on ports 48991, 48992, 3898, and fallback port 80. C2 domains like `hxxps://www.akjys.top/`.
- **File Indicators:** Files associated with `Review Annexure.pdf` and subsequently `Review Annexure.zip`. Executable name: `setup_Ir5swQ3EpeuBpePEpew=.exe`. Persistent service name: `NSecRTS.exe`.
- **Behavioral Indicators:** Use of multi-stage NSIS installers, forced file download upon visiting a webpage, and creation of a new network service for remote access.
## Response Actions
*(Note: The article details the analysis, not a live organizational response. The summary lists actions required based on the established threat.)*
- **Containment:** Immediate network isolation of any system identified as executing the NSIS installer or communicating with the known C2 infrastructure.
- **Eradication:** Removal of the persistent service (`NSecRTS.exe`) scheduled to start via the registry/system services, deletion of all unpacked malware components.
- **Recovery:** Full image restoration or thorough system cleaning/re-imaging of compromised hosts. Resetting credentials for any accounts potentially affected by host discovery.
## Lessons Learned
- **Effectiveness of Lures:** Tax/refund-themed lures are highly effective due to high relevance and existing pressure on businesses during filing seasons.
- **Filter Evasion:** Attackers are successfully bypassing email filters by using **image-only bodies** to hide text-based indicators.
- **Chain Sophistication:** Modern malware delivery relies heavily on multi-stage loaders (NSIS installers) and leveraging **signed binaries** (even foreign-signed ones) to subvert security trust controls.
## Recommendations
- **Email Security:** Implement advanced email filtering capable of deep inspection of attachments and scanning image content for embedded malicious links or text patterns.
- **User Training:** Mandatory training focusing specifically on tax/government impersonation, emphasizing that official letters rarely arrive via public webmail domains (Outlook.com in this case).
- **Endpoint Hardening:** Restrict the execution of downloaded content, especially staged payloads derived from archive files, and strictly audit the creation of new, persistent system services.
- **Network Monitoring:** Monitor outbound traffic for connections to non-standard high ports (like 48991/48992) or periodic outbound HTTP POST activity resembling beaconing traffic.