As part of a suspected cyber espionage campaign, cybersecurity researchers have found an ongoing campaign that targets Indian users with a multi-stage backdoor This article explores enterprise tool threat. . According to the eSentire Threat Response Unit (TRU), the activity entails tricking victims into downloading a malicious archive by using phishing emails that pose as the Income Tax Department of India.

This gives the threat actors ongoing access to the victims' computers for ongoing monitoring and data exfiltration. The sophisticated attack's ultimate objective is to use a legitimate enterprise tool called SyncFuture TSM (Terminal Security Management), created by the Chinese company Nanjing Zhongke Huasai Technology Co., Ltd., and a variation of the well-known banking trojan Blackmoon (also known as KRBanker). No known threat actor or group has been linked to the campaign.

According to eSentire, "it is repurposed in this campaign as a powerful, all-in-one espionage framework, despite being marketed as a legitimate enterprise tool." "The threat actors establish resilient persistence and gain a rich feature set to monitor victim activity and centrally manage the theft of sensitive information by deploying this system as their final payload." With the exception of an executable ("Inspection Document Review.exe") that is used to sideload a malicious DLL contained in the archive, all five of the files in the ZIP file distributed through the phony tax penalty notices are hidden.

For its part, the DLL contacts an external server to retrieve the next-stage payload and performs checks to identify delays caused by the debugger.

The downloaded shellcode then obtains administrative privileges by circumventing the User Account Control (UAC) prompt using a COM-based method. In order to evade detection, it also alters its own Process Environment Block (PEB) to look like the authentic Windows "explorer.exe" process. Additionally, it retrieves the subsequent stage "180.exe" from the "eaxwwyr[.

]cn" domain. This 32-bit Inno Setup installer modifies its actions according to whether the compromised host is running the Avast Free Antivirus process ("AvastUI.exe"). In order to avoid detection, the malware uses automated mouse simulation to navigate Avast's interface and add malicious files to its exclusion list without turning off the antivirus engine.

This is accomplished by using a DLL that is thought to be a member of the Blackmoon malware family, which is notorious for attacking companies in the United States, Canada, and South Korea. September 2015 was when it first appeared. An executable called "Setup.exe," a tool from SyncFutureTec Company Limited that is intended to write "mysetup.exe" to disk, has been added to the exclusion list.

SyncFuture TSM, a commercial tool with remote monitoring and management (RMM) capabilities, is evaluated as the latter. The campaign's threat actors can remotely control compromised endpoints, log user activity, and exfiltrate relevant data by abusing a legitimate offering.

Other files, such as batch scripts that create custom directories and change their Access Control Lists (ACLs) to grant permissions to all users, are also deployed after the executable is executed. Batch programs that change desktop folder user permissions Cleanup and restoration tasks are carried out by a batch script. "MANC.exe" is an executable that allows for extensive logging and orchestrates various services.

"It provides them with the tools to not only steal data but to maintain granular control over the compromised environment, monitor user activity in real-time, and ensure their own persistence," according to eSentire. "The threat actor exhibits both capability and intent by combining anti-analysis, privilege escalation, DLL sideloading, commercial tool repurposing, and security software evasion."