Government of India’s nodal cybersecurity body, CERT-In, has issued a warning to citizens about a dangerous online campaign involving fake emails appearing to be sent from Indian Income Tax Department. As emails from the Income Tax department are taken seriously by citizens, hackers are trying to take advantage of this by pushing malware disguised as an email from the Income Tax department. Here is everything you need to know about these ‘dangerous’ emails
According to Cert, in order to lure people these fake emails have these subject lines: ‘Important: Income Tax Outstanding Statements A.Y 2017-2018’ or ‘Income Tax statement’.
CERT-In has found two variants of fake emails. The first variant includes an attachment with extension “.img” which contains a malicious “.pif” file. The second variant lures the users to download a malicious “.pif” file hosted on a Sharepoint page via a link of fraudulent domain incometaxindia[.]info
This campaign is particularly dangerous because it has similarities with the “Ave-Maria” malware which came with DLL hijacking capability that allowed it to get advanced admin access and bypass traditional detection methods. This malware can also secretly download other plugins and malicious content.
CERT-In suggested users to restrict execution of Powershell /WSCRIPT in enterprise environment. Ensure installation and use of the latest version of PowerShell with enhanced logging enabled, script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis. Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints.Implement application whitelisting/strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths.