Key Takeaways
- Cybersecurity researchers have discovered an ongoing campaign targeting Indian users with a multi-stage backdoor as part of a suspected cyber espionage campaign.
- The campaign involves phishing emails impersonating the Income Tax Department of India to trick victims into downloading a malicious archive.
- The end goal of the attack is to deploy a variant of the Blackmoon banking trojan and a legitimate enterprise tool called SyncFuture TSM for continuous monitoring and data exfiltration.
- The campaign has not been attributed to any known threat actor or group, but demonstrates sophisticated techniques such as anti-analysis, privilege escalation, and security-software evasion.
Introduction to the Campaign
The eSentire Threat Response Unit (TRU) has uncovered an ongoing campaign that is targeting Indian users with a multi-stage backdoor as part of a suspected cyber espionage campaign. The campaign involves using phishing emails that impersonate the Income Tax Department of India to trick victims into downloading a malicious archive. This archive ultimately grants the threat actors persistent access to the victims’ machines for continuous monitoring and data exfiltration. The campaign is particularly sophisticated, using a range of techniques to evade detection and maintain control over the compromised environment.
The Attack Vector
The attack begins with a phishing email that appears to be from the Income Tax Department of India. The email contains a ZIP file that is distributed through fake tax penalty notices. The ZIP file contains five different files, all of which are hidden except for an executable called "Inspection Document Review.exe". This executable is used to sideload a malicious DLL present in the archive, which implements checks to detect debugger-induced delays and contacts an external server to fetch the next-stage payload. The downloaded shellcode then uses a COM-based technique to bypass the User Account Control (UAC) prompt to gain administrative privileges.
Evasion Techniques
The malware uses a range of evasion techniques to avoid detection. For example, it modifies its own Process Environment Block (PEB) to masquerade as the legitimate Windows "explorer.exe" process, allowing it to fly under the radar. It also retrieves the next stage "180.exe" from the "eaxwwyr[.]cn" domain, a 32-bit Inno Setup installer that adjusts its behavior based on whether the Avast Free Antivirus process ("AvastUI.exe") is running on the compromised host. If Avast is detected, the malware uses automated mouse simulation to navigate Avast’s interface and add malicious files to its exclusion list without disabling the antivirus engine. This is achieved by means of a DLL that is assessed to be a variant of the Blackmoon malware family.
The Payload
The payload of the attack is a variant of the Blackmoon banking trojan, as well as a legitimate enterprise tool called SyncFuture TSM. SyncFuture TSM is a commercial tool with remote monitoring and management (RMM) capabilities, which is repurposed in this campaign as a powerful, all-in-one espionage framework. By deploying this system as their final payload, the threat actors establish resilient persistence and gain a rich feature set to monitor victim activity and centrally manage the theft of sensitive information. The file added to the exclusion list is an executable named "Setup.exe", which is a utility from SyncFutureTec Company Limited and is designed to write "mysetup.exe" to disk. The latter is assessed to be SyncFuture TSM.
The Impact
The impact of this campaign is significant. By abusing a legitimate offering, the threat actors behind the campaign gain the ability to remotely control infected endpoints, record user activities, and exfiltrate data of interest. The campaign also involves the deployment of other files, including batch scripts that create custom directories and modify their Access Control Lists (ACLs) to grant permissions to all users. Additionally, batch scripts manipulate user permissions on Desktop folders, and a batch script performs cleanup and restoration operations. An executable called "MANC.exe" orchestrates different services and enables extensive logging, providing the threat actors with the tools to not only steal data but to maintain granular control over the compromised environment.
Conclusion
In conclusion, the campaign discovered by eSentire demonstrates a high level of sophistication and intent. The threat actors have used a range of techniques to evade detection and maintain control over the compromised environment, including anti-analysis, privilege escalation, DLL sideloading, commercial-tool repurposing, and security-software evasion. The use of a legitimate enterprise tool such as SyncFuture TSM as part of the payload highlights the need for organizations to be aware of the potential risks associated with the use of commercial software. As the campaign continues to evolve, it is likely that we will see further developments in the use of sophisticated techniques to evade detection and maintain control over compromised environments.
