An Income Tax Assessment Notice Phishing Campaign Delivering Malware

MITRE Techniques

• [T1566.002 ] Phishing: Spearphishing Link – The fake tax portal lures victims to download the malicious archive (‘Fraudulent Income Tax website → malicious archive download’).
• [T1189 ] Drive-by Compromise – The fake portal delivers the ZIP archive through a deceptive website (‘ZIP archive with malware delivered via fake portal’).
• [T1204.002 ] User Execution: Malicious File – The user is prompted to download and open the malicious file (‘User downloads/executes Tax_Assessment.exe’).
• [T1218 ] System Binary Proxy Execution – The mounted disk image stages execution of the next components (‘Mounted disk image (Tax_Assessment.img) stages execution’).
• [T1059 ] Command and Scripting Interpreter – The loader uses reflection-based .NET execution to run the payload (‘Reflection-based .NET dynamic execution’).
• [T1620 ] Reflective Code Loading – Tax_Assessment.exe loads libsvcs.dll with Assembly.LoadFrom() (‘Assembly.LoadFrom() loads libsvcs.dll’).
• [T1027 ] Obfuscated/Compressed Files – ConfuserEx is used to hide the malicious code and complicate analysis (‘ConfuserEx obfuscation on EXE/DLL’).
• [T1036 ] Masquerading – The files and portal impersonate tax documents and legitimate government communication (‘Deceptive filenames/metadata impersonating tax docs’).
• [T1036.005 ] Match Legitimate Resource Name or Location – The DLL uses fake Microsoft-like metadata to look trusted (‘DLL metadata: “Runtime Service Host”, “Microsoft Corporation”‘).
• [T1140 ] Deobfuscate/Decode Files – The protected assemblies are unpacked/decoded at runtime (‘Runtime decoding of protected assemblies’).
• [T1564.003 ] Hide Artifacts: Hidden Window – The malware hides its console window during execution (‘Console window hidden during execution’).
• [T1112 ] Modify Registry – The malware modifies registry settings for stealth and persistence (‘Registry mods for execution/persistence’).
• [T1547.001 ] Registry Run Keys / Startup Folder – The malware uses startup registration and auto-run behavior (‘SetAutoRun, AddToStartupAdmin/NonAdmin’).
• [T1053.005 ] Scheduled Task – Scheduled-task persistence is included in the malware’s capabilities (‘Scheduled-task persistence functionality’).
• [T1082 ] System Information Discovery – The payload gathers OS and host information (‘GetWindowsVersion() collects OS/host details’).
• [T1518.001 ] Security Software Discovery – The malware checks for security products (‘GetSecurityInfo() enumerates security products’).
• [T1033 ] System Owner/User Discovery – The payload collects user information (‘User info collection during reconnaissance’).
• [T1497.001 ] Virtualization/Sandbox Evasion – The malware performs anti-analysis checks before execution (‘Anti-analysis checks before execution’).
• [T1071.001 ] Application Layer Protocol: Web Protocols – The C2 communication uses application-layer web communications (‘C2 via application-layer web communications’).
• [T1573 ] Encrypted Channel – The malware uses an embedded 32-byte key for encrypted C2 (’32-byte embedded encryption key for C2′).
• [T1105 ] Ingress Tool Transfer – Additional payload loading/execution is supported by the malware (‘Dynamic payload loading/execution’).
• [T1219 ] Remote Access Software – The payload provides RAT-style remote access and command execution (‘RAT functionality for remote access/command execution’).