EXECUTIVE SUMMARY
The campaign starts with fake tax assessment lures, targeting finance, accounting, legal, HR, administrative, and executive users, who are made to believe they need to download and review a tax-related document. The lures are designed to create a sense of urgency, making the victim more likely to click on the malicious link. The campaign uses three delivery paths to reach Windows endpoints: fake tax pages, ZIP files, and VBScript downloaders. The fake tax pages are designed to make the victim believe they are opening a tax notice or assessment document, which leads to the download of a ZIP file or a VBScript downloader. The ZIP file contains a signed 32-bit Windows executable, which is a ClientSetup payload. The VBScript downloader, on the other hand, downloads the same ClientSetup payload. The ClientSetup payload installs a hidden client directory, creates service and driver persistence, writes runtime configuration, and starts outbound client traffic.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The campaign starts with fake tax assessment lures, targeting finance, accounting, legal, HR, administrative, and executive users, who are made to believe they need to download and review a tax-related document. The lures are designed to create a sense of urgency, making the victim more likely to click on the malicious link. The campaign uses three delivery paths to reach Windows endpoints: fake tax pages, ZIP files, and VBScript downloaders. The fake tax pages are designed to make the victim believe they are opening a tax notice or assessment document, which leads to the download of a ZIP file or a VBScript downloader. The ZIP file contains a signed 32-bit Windows executable, which is a ClientSetup payload. The VBScript downloader, on the other hand, downloads the same ClientSetup payload. The ClientSetup payload installs a hidden client directory, creates service and driver persistence, writes runtime configuration, and starts outbound client traffic.[emaillocker id="1283"]
The malware uses a combination of techniques to maintain control over the infected system. It creates a Windows service named MANC, which is used for persistence. The malware also installs drivers, such as YtMiniFilter and ytdisk, which give the suite deeper access than a normal user-mode process. The malware uses a fake svchost.exe process to connect to the configured server on port 6671, which appears to be the main session channel for the client. The client continues to talk to the server, suggesting that the malware does not simply download something and exit, but rather keeps a session alive.
This threat is significant for organisations because it uses a combination of social engineering tactics, such as fake tax assessment lures, and sophisticated malware techniques, such as signed ClientSetup payloads and fake svchost.exe processes. The malware is designed to maintain control over the infected system, making it difficult to detect and recover from. organisations should take defensive actions, such as patching, monitoring, backups, and endpoint protection, to prevent and detect this type of threat.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1059.005 | Command and Scripting Interpreter | Visual Basic |
| Persistence | T1543.003 | Create or Modify System Process | Windows Service |
| Persistence | T1543.004 | Create or Modify System Process | Launch Daemon |
| Defense Evasion | T1116 | Code Signing | — |
| Defense Evasion | T1564.001 | Hide Artifacts | Hidden Files and Directories |
| Defense Evasion | T1036.005 | Masquerading | Match Legitimate Name or Location |
| Discovery | T1082 | System Information Discovery | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/hackers-use-fake-income-tax-assessment-pages/
https://www.securonix.com/blog/taxtrident-indian-fax-lures/