Blackmoon Banking Trojan
Cybersecurity analysts have uncovered an active multi-stage intrusion campaign aimed at Indian individuals and organizations. The operation appears to be cyber-espionage in nature and relies on a layered backdoor framework to obtain long-term, covert access to compromised systems.
Table of Contents
Phishing as the Initial Infection Vector
The campaign begins with phishing emails masquerading as official correspondence from the Income Tax Department of India. These messages entice recipients into downloading a ZIP archive under the pretense of tax penalty notices. Once opened, the archive initiates the infection chain that ultimately enables persistent monitoring and data theft.
Weaponized Archive and Stealthy Execution
The delivered ZIP file contains five components, all hidden except a decoy executable named 'Inspection Document Review.exe.' This file is abused to sideload a malicious dynamic-link library embedded in the archive. The rogue DLL performs debugger-evasion checks and communicates with a remote command-and-control server to retrieve the next-stage payload.
Privilege Escalation and Process Masquerading
The downloaded shellcode leverages a COM-based technique to bypass User Account Control (UAC), granting elevated privileges. It then alters its own Process Environment Block (PEB) to impersonate the legitimate Windows explorer.exe process, reducing the likelihood of detection by security tools and analysts.
Adaptive Payload Delivery
A subsequent stage, '180.exe,' is fetched from the domain eaxwwyr[.]cn. This file is a 32-bit Inno Setup installer that modifies its execution flow depending on whether specific security software is present on the infected host, allowing the malware to dynamically adjust its evasion tactics.
Security Software Evasion and Blackmoon Linkage
When defensive software is detected, the malware avoids direct deactivation. Instead, it simulates mouse movements to navigate the security interface and quietly add malicious components to the exclusion list. This activity is facilitated by a DLL assessed to be a variant of the Blackmoon (KRBanker) malware family, historically associated with attacks on businesses in South Korea, the United States, and Canada since its emergence in 2015.
Abuse of a Legitimate Enterprise Tool
One of the files added to the exclusion list is 'Setup.exe,' a legitimate utility from SyncFutureTec Company Limited. This program drops 'mysetup.exe,' identified as SyncFuture TSM (Terminal Security Management), a commercial remote monitoring and management solution developed by Nanjing Zhongke Huasai Technology Co., Ltd. Although designed for enterprise administration, it is repurposed in this campaign as a comprehensive espionage platform.
Supporting Components and System Manipulation
Following deployment, additional elements are installed to prepare and control the environment:
- Batch scripts that create custom directories, modify access control lists, alter desktop permissions, and perform cleanup and restoration tasks.
- An orchestrator executable, 'MANC.exe,' which coordinates services and enables extensive activity logging.
Operational Impact and Strategic Significance
By abusing a legitimate enterprise tool alongside custom malware, the operators gain remote control over infected endpoints, continuous visibility into user activity, and a centralized mechanism for sensitive data exfiltration. The coordinated use of DLL sideloading, privilege escalation, commercial-tool repurposing, anti-analysis measures, and security-software evasion reflects a high degree of technical maturity and a clear intent to maintain persistent, granular control over compromised systems.
