Operation TaxShadow : Multi-Region Tax Phishing & In-Memory Malware Campaign – CYFIRMA

MITRE Techniques

• [T1566.002 ] Phishing: Spearphishing Link – Victims were lured through a tax-themed email containing a malicious link to phishing infrastructure (‘malicious link redirecting victims to a phishing website’).
• [T1189 ] Drive-by Compromise – The phishing page delivered the malicious ZIP package after redirecting users to the fake portal (‘delivered a ZIP package containing staged malware payloads’).
• [T1204.002 ] User Execution: Malicious File – Execution depended on the user downloading, extracting, and launching the file (‘execution required user interaction through extraction and execution of कर विवरण.exe’).
• [T1574.001 ] Hijack Execution Flow: DLL Search Order Hijacking – The malware forced Windows to load malicious SbieDll.dll instead of the legitimate library (‘abuses DLL Search Order Hijacking to force loading of the malicious SbieDll.dll’).
• [T1620 ] Reflective Code Loading – The final payload was manually reconstructed and run directly in memory (‘execute PE components entirely in memory without using LoadLibrary()’).
• [T1027 ] Obfuscated Files or Information – Control Flow Flattening, mutated RC4, and dynamic execution logic concealed the malware’s behavior (‘Control Flow Flattening, mutated RC4, and dynamic execution logic to conceal behaviour’).
• [T1140 ] Deobfuscate/Decode Files or Information – Encrypted shellcode in SbieDll.bin was decrypted at runtime (‘Encrypted payloads within SbieDll.bin were decrypted during runtime before execution’).
• [T1036 ] Masquerading – The executable used deceptive localized naming to appear legitimate (‘used deceptive naming and impersonation techniques to appear legitimate’).
• [T1055 ] Process Injection – Memory-based execution and reflective loading were used to inject and execute payloads (‘reflective loading and memory-based execution mechanisms to inject and execute payloads’).
• [T1134 ] Access Token Manipulation – Hooks on SetThreadToken() and GetTokenInformation() altered security tokens and impersonation contexts (‘manipulated security tokens and impersonation contexts’).
• [T1553 ] Subvert Trust Controls – The malware abused trusted Sandboxie-related components and legitimate mechanisms for concealment (‘abused trusted Sandboxes DLL mechanisms and legitimate components’).
• [T1082 ] System Information Discovery – The loader checked the operating system and environment before continuing (‘performing operating system version checks and environment validation’).
• [T1071.001 ] Application Layer Protocol: Web Protocols – C2 traffic used HTTP/WebSocket protocols (‘established C2 communication through HTTP/WebSocket protocols’).
• [T1573 ] Encrypted Channel – WebSocket sessions were used as protected communication channels (‘Communication channels were protected using encrypted WebSocket-based sessions’).
• [T1090 ] Proxy – HTTP CONNECT support indicated proxy-aware communication (‘support for proxy-aware communication through enterprise environments’).
• [T1105 ] Ingress Tool Transfer – Additional components were transferred and loaded between stages (‘Additional payload components were dynamically loaded and transferred between execution stages’).