Cybersecurity researchers have uncovered an ongoing cyber espionage campaign specifically targeting users in India. The attack utilizes a multi-stage backdoor and leverages sophisticated evasion techniques to achieve persistent access and data exfiltration from compromised systems.
Initial Attack Vector and Malicious Payloads
The campaign begins with phishing emails that impersonate the Income Tax Department of India. These emails trick victims into downloading a malicious archive file. The ultimate objective of the threat actors is to deploy a variant of the Blackmoon (also known as KRBanker) banking trojan and repurpose a legitimate enterprise tool, SyncFuture TSM (Terminal Security Management), for espionage purposes.
While SyncFuture TSM is a genuine product from Nanjing Zhongke Huasai Technology Co., Ltd., a Chinese company, the attackers exploit its capabilities as a powerful all-in-one espionage framework. This allows them to maintain resilient persistence and centrally manage the theft of sensitive information.
Multi-Stage Attack Process
- Initial Compromise and DLL Sideloading: The malicious ZIP file distributed via phishing contains five files. All files except for “Inspection Document Review.exe” are hidden. The executable is used to perform DLL sideloading, leveraging a malicious DLL present in the archive. This DLL performs checks to detect debugger-induced delays before fetching the next stage payload from an external server.
- Privilege Escalation and Evasion: The downloaded shellcode employs a COM-based technique to bypass the User Account Control (UAC) prompt and gain administrative privileges. To avoid detection, it modifies its own Process Environment Block (PEB) to masquerade as the legitimate Windows process “explorer.exe.”
- Blackmoon Deployment and Antivirus Evasion: The next stage payload, “180.exe,” is retrieved from the domain “eaxwwyr[.]cn.” This Inno Setup installer first checks for the presence of Avast Free Antivirus (“AvastUI.exe”). If Avast is detected, the malware executes an automated mouse simulation to navigate the antivirus interface and add malicious files to its exclusion list without disabling the antivirus engine. This bypass technique is carried out by a DLL identified as a variant of the Blackmoon malware family.
- Final Payload Deployment (SyncFuture TSM): Following the successful evasion and execution, the malware deploys “mysetup.exe,” which is identified as SyncFuture TSM. The attackers utilize this legitimate commercial tool to gain remote control over infected endpoints, monitor user activity in real-time, and exfiltrate data of interest.
Post-Exploitation Activities
To maintain control and prepare the environment for data theft, the attackers execute additional files and scripts:
- Batch scripts that create custom directories and modify Access Control Lists (ACLs) to grant permissions to all users.
- Batch scripts to manipulate user permissions on Desktop folders.
- A cleanup and restoration batch script.
- An executable named “MANC.exe” which orchestrates services and enables extensive logging.
Conclusions
This campaign demonstrates a high level of sophistication by blending multiple attack techniques, including anti-analysis methods, UAC bypass, DLL sideloading, and the abuse of commercial remote management tools. By repurposing legitimate software for espionage, the threat actors establish powerful control over compromised environments and hinder detection efforts, ensuring continuous monitoring and data theft. The campaign highlights a growing trend among cybercriminals to utilize legitimate tools to evade traditional security defenses.