Summary
Key Points:
- Cybercriminals are executing a dual-malware campaign exploiting India's tax filing season, utilizing phishing emails that masquerade as communications from the Indian Tax Department to deliver two remote access trojans (RATs).
- The attack impacts users who download malicious files disguised as legitimate tax utilities, leading to persistent access via Gh0st RAT and a .NET-based implant from the QuasarRAT/AsyncRAT family.
- Recommended actions include implementing behavioral detection mechanisms, monitoring for DLL sideloading, unexpected service creation, and in-memory execution activities, rather than relying solely on traditional EDR signatures.
Technical Details: The malware campaign employs techniques such as DLL side-loading and process injection to evade detection while leveraging legitimate Windows binaries. The use of two distinct RAT families enhances operational resilience against detection efforts.
MITRE ATT&CK Techniques:
- T1566 - Phishing (Initial Access)
- T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
- T1203 - User Execution (Execution)
- T1055.001 - Process Injection: Dynamic-link Library Injection (Execution)
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys (Persistence)
IOCs Mentioned:
- Malicious file names, C2 infrastructure domains, file hashes associated with both RAT families were disclosed in the report. Specific IOCs were not detailed in the summary provided.
Join the discussion — sign up to comment, upvote, and save articles.