Full Report
Cybersecurity researchers have discovered an ongoing campaign that's targeting Indian users with a multi-stage backdoor as part of a suspected cyber espionage campaign. The activity, per the eSentire Threat Response Unit (TRU), involves using phishing emails impersonating the Income Tax Department of India to trick victims into downloading a malicious archive, ultimately granting the threat
Analysis Summary
# Threat Actor: Undetermined (Suspected Cyber Espionage Actors)
## Attribution & Identity
* **Identification:** Campaign has *not* been attributed to any known threat actor or group by the reporting researchers (eSentire TRU).
* **Known Aliases/Groups:** None explicitly linked in the context provided, although the payload incorporates Blackmoon malware variants.
## Activity Summary
This is an ongoing cyber espionage campaign targeting Indian users. The threat actors use phishing emails impersonating the **Income Tax Department of India** to distribute a multi-stage backdoor designed to establish persistent access, conduct continuous monitoring, and exfiltrate data.
## Tactics, Techniques & Procedures
- **Initial Access:** Phishing emails impersonating the Income Tax Department of India.
- **Execution/Delivery:** Delivery via a malicious ZIP archive containing five hidden files, including a primary executable ("Inspection Document Review.exe").
- **Defense Evasion (Sideloading):** The primary executable is used to sideload a malicious DLL.
- **Defense Evasion (Anti-Debugging):** The malicious DLL implements checks to detect debugger-induced delays.
- **Command and Control (C2) & Staging:** The DLL contacts an external server to fetch the next-stage payload (shellcode).
- **Privilege Escalation:** The downloaded shellcode uses a **COM-based technique to bypass User Account Control (UAC)** prompts to gain administrative privileges.
- **Defense Evasion (Masquerading):** Modifies its own Process Environment Block (PEB) to masquerade as the legitimate Windows "explorer.exe" process.
- **Payload Retrieval:** Retrieves the next stage ("180.exe," an Inno Setup installer) from the domain `eaxwwyr[.]cn`.
- **Defense Evasion (AV Bypass):** If Avast Free Antivirus ("AvastUI.exe") is detected, the malware uses **automated mouse simulation** to navigate the Avast interface and add malicious files to the exclusion list without disabling the engine.
- **Persistence/Implantation:** The file added to the Avast exclusion list is "Setup.exe," which writes "mysetup.exe" (identified as SyncFuture TSM) to disk.
- **Remote Access/Control:** Deploys SyncFuture TSM (a legitimate RMM tool) for remote control, monitoring, and data exfiltration.
- **System Modification:** Uses batch scripts to create custom directories, modify Access Control Lists (ACLs) to grant permissions, and manipulate permissions on Desktop folders.
- **Final Stage Execution:** Deploys an executable named "MANC.exe" to orchestrate services and enable extensive logging.
## Targeting
- **Sectors:** Not explicitly stated, though the lure targets interactions with a government department (Tax).
- **Geography:** India (Targeting Indian users).
- **Victims:** General users interacting with Indian tax correspondence.
## Tools & Infrastructure
- **Malware Families Used:**
* Variant of **Blackmoon** malware (aka KRBanker).
* **SyncFuture TSM** (Terminal Security Management) commercial tool, repurposed for espionage.
- **Infrastructure (C2):** `eaxwwyr[.]cn` (used to retrieve the next stage "180.exe").
- **Associated Software:** Nanjing Zhongke Huasai Technology Co., Ltd (Developer of SyncFuture TSM).
## Implications
The use of advanced TTPs, including UAC bypass via COM and automated mouse simulation to bypass specific antivirus exclusions, suggests a sophisticated actor focused on cyber espionage. The reliance on a legitimate, commercially available RMM tool (SyncFuture TSM) grants the threat actors resilient persistence and granular control for long-term monitoring and data theft.
## Mitigations
- Enhanced email filtering and user training specifically regarding official Income Tax Department communications (especially those involving archives or executable files).
- Monitor for unusual process masquerading (e.g., unknown processes modifying PEB to look like explorer.exe).
- Implement rigorous application allow-listing and monitor attempts to manipulate Windows UAC settings or security software exclusion lists via automation or scripts.
- Network monitoring for connections to known C2 infrastructure, specifically from systems downloading payloads related to this campaign.