eSentire TRU uncovered a multi-stage espionage campaign targeting residents of India that uses phishing lures impersonating the Income Tax Department to deliver a DLL side-loading loader which fetches shellcode, bypasses UAC via a COM elevation moniker, and ultimately deploys a repurposed SyncFuture TSM platform for persistent remote surveillance. The intrusion chain includes anti-analysis, PEB process masquerading, Avast-specific GUI automation to create antivirus exclusions, service-based Safe Mode persistence, and multiple signed binaries and certificates abused to appear legitimate. #Blackmoon #SyncFuture
Keypoints
- Actors targeted Indian residents with phishing emails impersonating the Income Tax Department and delivering a malicious archive (Inspection.zip) via shortened URLs and SendGrid-hosted senders.
- Initial execution leveraged DLL sideâloading: a legitimate Microsoft-signed binary was used to load a malicious MpGear.dll that implements layered anti-debugging and anti-analysis checks.
- The loader contacted a hardcoded C2 (8.217.152[.]225) to download encrypted shellcode which was XOR-decrypted, LZNT1-decompressed and executed in memory via VirtualAlloc + CreateThread.
- Privilege escalation and defense evasion included a COM-based UAC bypass (COM elevation moniker) and PEB manipulation to masquerade as explorer.exe.
- When Avast Free Antivirus was present, the malware automated mouse clicks to add malicious files to Avastâs exclusion list, enabling stealthy persistence.
- Operators deployed a repurposed commercial SyncFuture/TSM product (signed binaries like Setup.exe, mysetup.exe, MANC.exe) to establish resilient service persistence (configured to run in Safe Mode) and comprehensive monitoring/exfiltration capabilities.
- Multiple valid and abused code-signing certificates (2019â2024), extensive logging, registry modifications, ACL weakening scripts, and Safe Mode service entries were used to ensure long-term espionage-focused access.
MITRE Techniques
- [T1566.001 ] Phishing: Spearphishing Attachment â Used to deliver the malicious archive and lure: (ââDownload Documentsâ link using the shortened URL âhttps://surl[.]li/wuvdwiâ that redirected victims to a malicious file named âInspection.zipââ).
- [T1574.002 ] Hijack Execution Flow â DLL SideâLoading â A legitimate, signed Microsoft application was used to load a malicious DLL payload: (âa legitimate, signed Microsoft application is used to load a malicious DLLâ).
- [T1218 ] Signed Binary Proxy Execution â Abuse of signed/legitimate binaries and stolen signatures to execute malicious code: (âlegitimate Microsoft Signed binary ⌠used for DLL Sideloading of the malicious payload âMpGear.dllââ).
- [T1055 ] Process Injection â Shellcode execution in memory via dynamic allocation and thread creation: (âthe malware allocates a new region of executable memory using VirtualAlloc ⌠Execution is transferred to the shellcode by calling CreateThreadâ).
- [T1548.002 ] Abuse Elevation Control Mechanism â Bypass UAC (COM Elevation Moniker) â The loader uses a file-less COM-based technique to obtain elevated ICMLuaUtil and call ShellExecute in a high-integrity context: (âuses a well-known, file-less COM-based technique to bypass the User Account Control (UAC) promptâ).
- [T1036 ] Masquerading â Process Masquerading via PEB modification â The malware overwrote PEB ProcessParameters (ImagePathName/CommandLine) and module list entries to appear as explorer.exe: (âmodifies its own Process Environment Block (PEB) to masquerade as the legitimate Windows explorer.exe processâ).
- [T1105 ] Ingress Tool Transfer â Download of follow-on payloads and tools from attacker-controlled domains: (âthe binary downloads the next stage â180.exeâ from hxxps://eaxwwyr[.]cn domain to the %TEMP% directoryâ).
- [T1071.001 ] Command and Control: Web Protocols â C2 communication and data transfer over HTTP(S) used to retrieve shellcode and additional stages: (âcontacts a Command-and-Control (C2) server to download a packed shellcodeâ and HTTP GET to 8.217.152[.]225:80 â/1binâ).
- [T1497 ] Virtualization/Sandbox Evasion and Anti-Analysis â Multi-layered anti-debugging, timing checks, and network time/API checks to detect analysis environments: (âmulti-layered anti-debugging routineâ and attempts to connect to timecha[.]com and other time APIs before proceedingâ).
- [T1543.003 ] Create or Modify System Process â Windows Service â Installation of core components as Windows services and SafeBoot registry entries to persist even in Safe Mode: (âinstalls a core component as a Windows service, configuring it to run even in Safe Modeâ).
- [T1112 ] Modify Registry â Creation and modification of registry keys for persistence and configuration (GcServices and SafeBoot/Svc entries): (âcreates a registry key under HKEY_CURRENT_USERSOFTWAREMicrosoftGcServicesâ and SafeBoot service entries under SYSTEMControlSet001ControlSafeBoot*).â
Indicators of Compromise
- [IP Address ] C2 and hosting infrastructure â 8.217.152[.]225 (downloader C2), 103.97.131[.]44 (hosting malicious VBS), and several other hosting IPs.
- [Domain / URL ] Phishing and payload hosts â gfmqvip[.]vip (Inspection.zip host), eaxwwyr[.]cn (stage download), surl[.]li/wuvdwi (shortened phishing URL), and other thematic phishing domains.
- [File Hashes ] Malware binaries and unpacked components â a416892cd439e289f188f9a85c21943b316b3489f70757d0d7df54e4edd9f14b (stage2 PE), 659ff4b41b26b8ea91f7ccf968dc0305ff380571cfe7f70e80d79142142aa1a7 (180.exe), and other hashes (e.g., game-float-core.dll and MANC.exe hashes) and 3 more hashes.
- [File Names ] Delivered or dropped files â Inspection.zip, Inspection Document Review.exe (signed Microsoft loader), MpGear.dll, 180.exe, game-float-core.dll, Setup.exe, mysetup.exe, MANC.exe.
- [Email Addresses ] Phishing sender addresses observed â legroslorna748@gmail[.]com (associated with many .cn domains), weekskataleya@gmail[.]com (associated with t-lebosports[.]cn), and additional actor-controlled addresses.
- [Registry Keys / Paths ] Persistence and configuration indicators â HKCUSOFTWAREMicrosoftGcServices (wlda/wldb values), SafeBoot registry entries under SYSTEMControlSet001ControlSafeBoot* for Manc service, and Avast exclusions path SOFTWAREAvast SoftwareAvastpropertiesexclusionsIDPExcludedFiles.