Indian users are being targeted by a multi-stage cyber espionage campaign using fake tax notices to deploy Blackmoon malware and repurposed enterprise tools.
Cybersecurity researchers at eSentire's Threat Response Unit (TRU) have uncovered an ongoing cyber espionage campaign specifically targeting Indian users with sophisticated phishing tactics. The operation employs fake penalty notices impersonating India's Income Tax Department to deliver malware that establishes persistent access to victims' systems.
The attack begins with a ZIP file containing five files, including an executable (Inspection Document Review.exe) designed to sideload a malicious DLL. This DLL performs anti-analysis checks before contacting a command-and-control server (eaxwwyr[.]cn) to retrieve the next payload. Researchers noted the malware employs advanced techniques to bypass security measures:
- COM-based UAC bypass to gain administrative privileges
- PEB manipulation to disguise itself as
explorer.exe - Automated mouse simulation to evade Avast Free Antivirus detection
According to eSentire, "By deploying this system as their final payload, the threat actors establish resilient persistence and gain a rich feature set to monitor victim activity and centrally manage the theft of sensitive information."
The malware ultimately deploys two primary components:
- A variant of Blackmoon banking trojan (KRBanker) targeting financial data
- SyncFuture TSM, a legitimate enterprise monitoring tool developed by Chinese firm Nanjing Zhongke Huasai Technology Co., Ltd
This commercial RMM tool provides attackers with capabilities including:
- Remote endpoint control actor real-time user activity monitoring
- Automated data exfiltration
- Granular logging via
MANC.exeorchestrator
Practical Protection Measures
Organizations and individuals should implement these defenses:
- Email Verification: Always validate unexpected tax notices through official channels
- Application Control: Block execution from temporary directories using tools like Microsoft AppLocker
- Behavior Monitoring: Deploy endpoint detection that analyzes process behavior rather than signatures
- Least Privilege Enforcement: Restrict administrative rights using Microsoft LAPS
- DLL Sideload Protection: Monitor for unsigned DLLs loaded by legitimate executables
Researchers emphasized the campaign's sophistication: "By blending anti-analysis, privilege escalation, DLL sideloading, commercial-tool repurposing, and security-software evasion, the threat actor demonstrates both capability and intent." While attribution remains unclear, the precision targeting of Indian users suggests strategic objectives beyond financial gain.
Comments
Please log in or register to join the discussion