Per The Hacker News, cybersecurity researchers from the eSentire Threat Response Unit have uncovered an ongoing cyber espionage campaign targeting Indian users with a multi-stage backdoor. The operation utilizes phishing emails that impersonate the Income Tax Department of India to lure victims into downloading malicious archives.The campaign employs a sophisticated attack chain, beginning with a ZIP file containing hidden malicious files. An executable triggers a malicious DLL that bypasses debugger detection and contacts a command-and-control server. This payload then uses a COM-based technique to escalate privileges and masquerades as a legitimate Windows process. The next stage involves downloading a 32-bit installer that, if Avast Free Antivirus is detected, uses automated mouse simulation to add malicious files to the antivirus exclusion list. This is achieved via a variant of the Blackmoon banking trojan, which deploys a legitimate enterprise tool called SyncFuture TSM. This tool, repurposed as an espionage framework, grants attackers persistent access for monitoring and data exfiltration.The use of a banking trojan in conjunction with an RMM tool underscores the potential for significant data theft and long-term compromise. The sophisticated blend of anti-analysis techniques, privilege escalation, and security software evasion suggests a well-resourced actor, emphasizing the need for enhanced threat detection and response mechanisms, particularly for organizations handling sensitive financial or governmental information.Source: The Hacker News
Malware, Threat Intelligence
India targeted by sophisticated espionage campaign using Blackmoon trojan

(Adobe Stock Images)
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



