Cybersecurity researchers have discovered an ongoing campaign that is targeting Indian users with a multi-stage backdoor as part of a suspected cyber espionage campaign.
According to the eSentire Threat Response Unit (TRU), the activity involves using phishing emails impersonating the Income Tax Department of India to trick victims into downloading malicious archives, which ultimately gives threat actors continuous access to their machines for continuous monitoring and data exfiltration.
The ultimate goal of the sophisticated attack is to deploy a version of a known banking trojan called BlackMoon (aka KRBanker) and a legitimate enterprise tool called SyncFuture TSM (Terminal Security Management), developed by Nanjing Zhongke Huasai Technology Co., Ltd., a Chinese company. This campaign has not been attributed to any known threat actor or group.
“Although it is marketed as a legitimate enterprise tool, in this campaign it has been repurposed as a powerful, all-in-one espionage framework,” Eisentyre said. “By deploying this system as their end payload, threat actors establish flexible persistence and gain a rich feature set to monitor victim activity and centrally manage the theft of sensitive information.”
The zip file distributed via the fake tax penalty notice contains five separate files, all of which are hidden except for one executable (“Inspect Document Review.exe”), which is used to sideload a malicious DLL present in the archive. The DLL, for its part, implements checks to detect debugger-induced delays and contacts the external server to fetch the next stage’s payload.
The downloaded shellcode uses COM-based technology to bypass the User Account Control (UAC) prompt to gain administrative privileges. It also modifies its own Process Environment Block (PEB) to masquerade as the legitimate Windows “explorer.exe” process in order to fly under the radar.
Also, it recovers “180.exe” the next step from “eaxwwyr”[.]cn” domain, a 32-bit Inno Setup installer that adjusts its behavior depending on whether the Avast Free Antivirus process (“AvastUI.exe”) is running on the compromised host.
If the security program is detected, the malware uses automatic mouse simulation to navigate Avast’s interface and add the malicious files to its exclusion list without disabling the antivirus engine to bypass detection. This is achieved through a DLL that is believed to be a variant of the Blackmoon malware family, which is known to target businesses in South Korea, the US, and Canada. It first appeared in September 2015.
The file added to the exclusion list is an executable named “Setup.exe”, which is a utility from SyncFutureTec Co., Ltd. and is designed to write “mysetup.exe” to disk. The latter is considered to be SyncFuture TSM, a commercial tool with remote monitoring and management (RMM) capabilities.
By abusing a legitimate offering, the threat actors behind the campaign gain the ability to remotely control infected endpoints, record user activities, and exfiltrate data of interest. After execution of the executable other files were also deployed –
- Batch scripts that create custom directories and modify their access control lists (ACLs) to grant permissions to all users
- Batch scripts that manipulate user permissions on desktop folders
- A batch script performs cleanup and restore tasks
- An executable called “MANC.exe” that orchestrates various services and enables comprehensive logging
“This provides them with the tools not only to steal data, but to maintain detailed control over the compromised environment, monitor user activity in real-time, and ensure their own solidity,” Isentyre said. “By combining anti-analysis, privilege escalation, DLL sideloading, commercial-equipment repurposing, and security-software evasion, the threat actor demonstrates both capability and intent.”
