Cybersecurity researchers have discovered an ongoing campaign that’s targeting Indian users with a multi-stage backdoor as part of a suspected cyber espionage campaign.
The activity, per the eSentire Threat Response Unit (TRU), involves using phishing emails impersonating the Income Tax Department of India to trick victims into downloading a malicious archive, ultimately granting the threat actors persistent access to their machines for continuous monitoring and data exfiltration.
The end goal of the sophisticated attack is to deploy a variant of a known banking trojan called Blackmoon (aka KRBanker) and a legitimate enterprise tool called SyncFuture TSM (Terminal Security Management) that’s developed by Nanjing Zhongke Huasai Technology Co., Ltd, a Chinese company. The campaign has not been attributed to any known threat actor or group.
“While marketed as a legitimate enterprise tool, it is repurposed in this campaign as a powerful, all-in-one espionage framework,” eSentire said. “By deploying this system as their final payload, the threat actors establish resilient persistence and gain a rich feature set to monitor victim activity and centrally manage the theft of sensitive information.”
The ZIP file distributed through the fake tax penalty notices contains five different files, all of which are hidden except for an executable (“Inspection Document Review.exe”) that’s used to sideload a malicious DLL present in the archive. The DLL, for its part, implements checks to detect debugger-induced delays and contacts an external server to fetch the next-stage payload.
The downloaded shellcode then uses a COM-based technique to bypass the User Account Control (UAC) prompt to gain administrative privileges. It also modifies its own Process Environment Block (PEB) to masquerade as the legitimate Windows “explorer.exe” process to fly under the radar.
On top of that, it retrieves the next stage “180.exe” from the “eaxwwyr[.]cn” domain, a 32-bit Inno Setup installer that adjusts its behavior based on whether the Avast Free Antivirus process (“AvastUI.exe”) is running on the compromised host.
If the security program is detected, the malware uses automated mouse simulation to navigate Avast’s interface and add malicious files to its exclusion list without disabling the antivirus engine to bypass detection. This is achieved by means of a DLL that’s assessed to be a variant of the Blackmoon malware family, which is known for targeting businesses in South Korea, the U.S., and Canada. It first surfaced in September 2015.
The file added to the exclusion list is an executable named “Setup.exe,” which is a utility from SyncFutureTec Company Limited and is designed to write “mysetup.exe” to disk. The latter is assessed to be SyncFuture TSM, a commercial tool with remote monitoring and management (RMM) capabilities.
In abusing a legitimate offering, the threat actors behind the campaign gain the ability to remotely control infected endpoints, record user activities, and exfiltrate data of interest. Also deployed following the execution of the executable are other files –
Batch scripts that create custom directories and modify their Access Control Lists (ACLs) to grant permissions to all users
Batch scripts that manipulate user permissions on Desktop folders
A batch script performs cleanup and restoration operations
An executable called “MANC.exe” that orchestrates different services and enables extensive logging
“It provides them with the tools to not only steal data but to maintain granular control over the compromised environment, monitor user activity in real-time, and ensure their own persistence,” eSentire said. “By blending anti‑analysis, privilege escalation, DLL sideloading, commercial‑tool repurposing, and security‑software evasion, the threat actor demonstrates both capability and intent.”
📰 Original Source:TheHackerNews ✍️ Author: info@thehackernews.com (The Hacker News)
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Leave a Reply