Cybersecurity researchers have uncovered a multi-stage cyber espionage campaign targeting Indian users through phishing emails disguised as official income tax notices. These emails trick recipients into downloading malicious files that eventually deploy a repurposed enterprise tool for continuous monitoring and data exfiltration.
The threat involves a sophisticated infection chain that begins when a victim opens a ZIP archive containing a hidden executable masquerading as a tax document. Once launched, the malware utilizes DLL sideloading to bypass security detections and establishes persistent access to the host machine. This initial stage is designed to evade analysis by checking for debugging environments before reaching out to an external server for further instructions.
To maintain a low profile and gain deeper control, the attack employs advanced evasion techniques such as bypassing User Account Control to secure administrative privileges. It further disguises its activity by modifying its internal process information to appear as a standard Windows Explorer process. These maneuvers allow the attackers to operate stealthily while preparing the system for the final payload.
The ultimate objective is the deployment of a variant of the Blackmoon banking trojan alongside a legitimate enterprise management tool known as SyncFuture TSM. Although developed for corporate security management by a Chinese firm, this tool is being exploited in this context as a comprehensive espionage framework. This gives the unidentified threat actors a robust set of features to manage stolen data and monitor user activity centrally.
In the final phase of the attack, the malware downloads an installer that can dynamically adjust its behavior based on the presence of specific security software like Avast Antivirus. By tailoring its execution to the victim's environment, the campaign ensures a higher success rate for its persistent backdoor. While the specific group behind this operation remains unknown, the focus on Indian entities suggests a targeted effort to gather sensitive intelligence.
Source: Indian Tax Phishing Attack Targets Users With Blackmoon Malware Alerts