Silver Fox Targeting India Using Tax Themed Phishing Lures

MITRE Techniques

• [T1566.001 ] Phishing: Spearphishing Attachment – Initial delivery via an Income-tax themed PDF attachment. (‘Income-tax themed PDF delivered via email’)
• [T1204.002 ] User Execution: Malicious File – Victim opens the PDF which leads to a payload download. (‘User opens PDF leading to payload download’)
• [T1059 ] Command and Scripting Interpreter – NSIS installer-driven execution logic used to stage payloads. (‘NSIS installer-driven execution logic’)
• [T1106 ] Native API – Use of native APIs such as GetTempPathA, VirtualAllocEx and WriteProcessMemory for staging and injection. (‘Use of GetTempPathA, VirtualAllocEx, WriteProcessMemory’)
• [T1129 ] Shared Modules – Abuse of a legitimate signed Thunder.exe binary to load a malicious libexpat.dll locally. (‘Signed Thunder.exe loads malicious DLL’)
• [T1620 ] Reflective Code Loading – Donut-generated shellcode used to execute a managed payload entirely from memory. (‘Donut-generated shellcode executed entirely from memory’)
• [T1547.001 ] Registry Run Keys / Startup Folder – Plugins and persistence implemented via registry-resident REG_BINARY values under HKCUConsole*. (‘Registry-stored plugins persist across reboots’)
• [T1112 ] Modify Registry – Configuration and plugins stored and updated as REG_BINARY in the registry. (‘Configuration and plugins stored as REG_BINARY values’)
• [T1574.001 ] DLL Search Order Hijacking – Malicious libexpat.dll loaded from the installer’s working directory due to default DLL search order. (‘Malicious libexpat.dll loaded from writable directory’)
• [T1218 ] Signed Binary Proxy Execution – Abuse of a digitally signed third-party binary (Thunder.exe) to execute malicious code. (‘Abuse of digitally signed third-party binary’)
• [T1027 ] Obfuscated Files or Information – Encrypted payload (box.ini) decrypted at runtime to evade static detection. (‘Encrypted payload (box.ini) decrypted at runtime’)
• [T1497 ] Virtualization/Sandbox Evasion – Anti-debugging, resource checks, and sandbox detection logic to terminate if analysis environment detected. (‘Anti-debugging, resource checks, sandbox detection’)
• [T1562.001 ] Disable or Modify Tools – Disables Windows Update service (wuauserv) as part of anti-analysis/evade behavior. (‘Stops Windows Update service (wuauserv)’)
• [T1057 ] Process Discovery – Enumerates processes to detect analysis tools and choose target processes (e.g., explorer.exe). (‘Enumerates processes to detect analysis tools’)
• [T1082 ] System Information Discovery – Queries system resources and environment to check minimum requirements and detect sandboxes. (‘System resource and environment checks’)
• [T1071.001 ] Web Protocols – C2 communication over HTTP/HTTPS as one of the supported transport types. (‘HTTP/HTTPS C2 communication’)
• [T1095 ] Non-Application Layer Protocol – Support for raw TCP socket C2 communication configurable via flags. (‘Raw TCP socket C2 supported via t* flags’)
• [T1105 ] Ingress Tool Transfer – Plugins and modules are downloaded from C2 servers to extend capabilities. (‘Plugins and modules delivered from C2’)
• [T1573 ] Encrypted Channel – Configuration and payloads are encrypted and decrypted at runtime for secure C2 and payload transfer. (‘Encrypted configuration and payloads’)
• [T1008 ] Fallback Channels – Three-tier C2 failover logic switching between primary, secondary, tertiary after failures. (‘Three-tier C2 with failover after connection failures’)
• [T1041 ] Exfiltration Over C2 Channel – Keylogging data and command responses exfiltrated over the RAT’s C2 channel. (‘Keylogging and command responses sent over C2’)
• [T1056.001 ] Input Capture: Keylogging – Keylogger feature controlled via configuration flag (kl) enabling input capture. (‘Keylogger (1 = enabled, 0 = disabled)’)
• [T1489 ] Service Stop – Malware stops Windows Update service as part of its operations. (‘Windows Update service disabled’)