Malware, Threat Intelligence

India targeted by sophisticated espionage campaign using Blackmoon trojan

Trojan malware

Per The Hacker News, cybersecurity researchers from the eSentire Threat Response Unit have uncovered an ongoing cyber espionage campaign targeting Indian users with a multi-stage backdoor. The operation utilizes phishing emails that impersonate the Income Tax Department of India to lure victims into downloading malicious archives.

The campaign employs a sophisticated attack chain, beginning with a ZIP file containing hidden malicious files. An executable triggers a malicious DLL that bypasses debugger detection and contacts a command-and-control server. This payload then uses a COM-based technique to escalate privileges and masquerades as a legitimate Windows process. The next stage involves downloading a 32-bit installer that, if Avast Free Antivirus is detected, uses automated mouse simulation to add malicious files to the antivirus exclusion list. This is achieved via a variant of the Blackmoon banking trojan, which deploys a legitimate enterprise tool called SyncFuture TSM. This tool, repurposed as an espionage framework, grants attackers persistent access for monitoring and data exfiltration.

The use of a banking trojan in conjunction with an RMM tool underscores the potential for significant data theft and long-term compromise. The sophisticated blend of anti-analysis techniques, privilege escalation, and security software evasion suggests a well-resourced actor, emphasizing the need for enhanced threat detection and response mechanisms, particularly for organizations handling sensitive financial or governmental information.

Source: The Hacker News

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds