Cybersecurity researchers have uncovered an ongoing cyber espionage campaign that’s specifically targeting Indian users with a sophisticated multi-stage backdoor attack. The activity, observed by eSentire Threat Response Unit (TRU), involves the use of fraudulent phishing emails impersonating the Income Tax Department of India to trick victims into downloading a malicious archive.

Technical Details

• Email Phishing: Impersonation of the Income Tax Department to deliver a malicious archive via fake tax penalty notices
• Malware Delivery: Using sideloaded malicious DLLs and external server communication for payload delivery
• Privilege Escalation: Bypassing UAC prompts using automated mouse simulation against Avast Free Antivirus
• Anti-Analysis Techniques: Employing anti-analysis techniques to evade detection mechanisms
• Legitimate Software Abuse: Using SyncFuture TSM, a legitimate enterprise tool from Nanjing Zhongke Huasai Technology Co., Ltd, for remote monitoring and management capabilities
• Data Exfiltration: Deploying RATs (Remote Administration Tools) to facilitate data exfiltration

To avoid detection, it employs an automated mouse simulation method against Avast Free Antivirus, one of the most commonly used security tools in India. This allows the threat actors to add malicious files to the exclusion list without disabling the antivirus engine.

Implications of the Campaign

This cyber espionage campaign poses a significant risk to Indian users as it targets financial data. The successful deployment of malware through legitimate enterprise software highlights the potential for sophisticated threats to exploit vulnerabilities in otherwise trusted tools. This underscores the need for organizations to continuously update their security measures and train employees on recognizing phishing attempts.

Conclusion

The ongoing cyber espionage campaign targeting Indian users with a sophisticated multi-stage backdoor attack demonstrates the evolving tactics of threat actors who are increasingly repurposing legitimate enterprise software for malicious purposes. This case study emphasizes the importance of robust security measures and employee education in protecting sensitive data and systems against such threats.

Sources

• eSentire Threat Response Unit (TRU)
• Nanjing Zhongke Huasai Technology Co., Ltd
• The Hacker News