Information stealing malware spreading via fraudulent emails purporting to originate from Income Tax Department

A phishing and malware campaign is active since at least September 12th and is targeting individuals as well as financial organizations. The campaign involves fake emails purporting to be sent from Indian Income Tax Department. Two variants of the emails have been observed. First variant includes an attachment with extension “.img” which contains a malicious “.pif” file. The second variant lures the users to download a malicious “.pif” file hosted on a Sharepoint page via a link of fraudulent domain incometaxindia[.]info . This domain has now been disabled.

The malicious “.pif” files contact a Command & Control server and drop multiple binary (.exe, .dll) files in [/Users//AppData/Local/Temp] and [/Users//AppData/Roaming] directories. The malware samples add persistence by modifying the Windows registry and have been observed to have information stealing capabilities.The campaign has similarities with “Ave-Maria” malware campaign observed earlier (https://cofense.com/exploiting-unpatched-vulnerability-ave_maria-malware-not-full-grace/).

IOC:

Email IOCs:

Subject: Subject: “Important: Income Tax Outstanding Statements A.Y 2017-2018”
Origin IP addresses: 173.203.187[.]117; 198.54.114[.]167

File IOCs:

• Name: Income Tax Statement XML PAN XXX895X.pif
• Size: 2977280 bytes (2907 KiB)
• SHA256: 477AF148C91D89473999B22F0EA8FCAD397847A2EBF934B6A8EF0B17B8FFB32A
• Name: ikbRPWx22mkirSUNzDh950INU3c4kYwi7R4ofS.exe / hUaubCmX.exe
• Size: 1018880 bytes (995 KiB)
• SHA256: D5057455204BE6BD8DA0290C9252179267B17BE49969F9403F873527A0BC2902
• Name: Ic7oLmQXwey479HCqLksrQ08CQ3QHn.exe
• Size: 600064 bytes (586 KiB)
• SHA256: 87E2BCEBE0EF44EC791206C26B35ADD8B995B9BEAD32A81CC9CA968706F5A1B7
• Name: hpprint.exe
• Size: 2977280 bytes (2907 KiB)
• SHA256: 477AF148C91D89473999B22F0EA8FCAD397847A2EBF934B6A8EF0B17B8FFB32A
• Name: E08y2Lnk2e7.exe
• Size: 600064 bytes (586 KiB)
• SHA256: 87E2BCEBE0EF44EC791206C26B35ADD8B995B9BEAD32A81CC9CA968706F5A1B7
• Name: dismcore.dll
• Size: 4608 bytes (4 KiB)
• SHA256: FC0C90044B94B080F307C16494369A0796AC1D4E74E7912BA79C15CCA241801C
• Name: Income Tax Statment XML.img
• Size: 1900544 bytes (1856 KiB)
• SHA256: 0983F428375869811B62B937029B51F3067E7FA5F024E070D9FD2A2F3DB387D0
• Name: Income Tax Statement XXX8957X.pif
• Size: 1820672 bytes (1778 KiB)
• SHA256: 48A51D920AD2254D1A59900B65C35A62C853443D2D5E321706FE0C02F9A1CCA5
• Name: ellocnak.xml
• Directories: C:/Users//AppData/Local/Temp; C:/Users//AppData/Roaming

Network IOCs:

Initial infection vector domains/URLs:

• incometaxindia[.]info
• floworldwide-my[.]sharepoint[.]com/personal/dit-lax_flowgrp_com/_layouts/15/onedrive.aspx

C2 Information:

• Domain Contacted: cold[.]deviatefromnorm[.]tk
• IP address: 104[.]250[.]190[.]66
• Destination Port: 6318 (TCP)

Recommendations:

• Users are advised not to open documents from untrusted sources and should disable running macros in MS Office by default.
• Restrict execution of Powershell /WSCRIPT in enterprise environment. Ensure installation and use of the latest version of PowerShell with enhanced logging enabled, script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
• Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints.
• Implement application whitelisting/strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths.
• Don't open attachments in unsolicited e-mails, even if they come from people in your contact lists and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs, close the e-mail and go to the organization's website directly through browser.