"The ZIP file distributed through the fake tax penalty notices contains five different files, all of which are hidden except for an executable ("Inspection Document Review.exe") that's used to sideload a malicious DLL present in the archive. The DLL, for its part, implements checks to detect debugger-induced delays and contacts an external server to fetch the next-stage payload. The downloaded shellcode then uses a COM-based technique to bypass the User Account Control (UAC) prompt to gain administrative privileges."
"The end goal of the sophisticated attack is to deploy a variant of a known banking trojan called Blackmoon (aka KRBanker) and a legitimate enterprise tool called SyncFuture TSM (Terminal Security Management) that's developed by Nanjing Zhongke Huasai Technology Co., Ltd, a Chinese company. "While marketed as a legitimate enterprise tool, it is repurposed in this campaign as a powerful, all-in-one espionage framework,""
Phishing emails impersonating the Income Tax Department of India deliver a malicious ZIP that contains a visible executable which sideloads a hidden DLL. The DLL performs anti-debugger checks and contacts an external server to retrieve additional payloads. Downloaded shellcode leverages a COM-based UAC bypass to gain administrative privileges and then modifies its process metadata to masquerade as explorer.exe for stealth. The campaign aims to deploy a Blackmoon (KRBanker) variant alongside a repurposed SyncFuture TSM enterprise tool to establish resilient persistence, centrally manage victim monitoring, and exfiltrate sensitive information from compromised machines.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]