Microsoft File Exploited in India-Focused Cyber Espionage

A state-backed cyber threat group has been identified executing a covert espionage operation against the Indian banking industry. This operation cleverly utilized a Microsoft-signed file to bypass security measures and deploy malware. The attack introduces a novel variant of the LOTUSLITE backdoor using DLL sideloading, a technique that leverages the inherent trust operating systems place in legitimate executables.

Stealthy Infiltration via Trusted Software

Unlike overt attack methods, the threat actor adopted a stealthy approach, seamlessly integrating malicious actions into normal system operations. The attack is initiated through a ZIP archive themed around the Indian financial sector. Within, a legitimate Microsoft executable, Microsoft_DNX.exe, serves as the unwitting host for the malicious DLL, which is loaded upon execution due to the executable’s lack of comprehensive file path verification.

As part of ongoing monitoring efforts, Acronis Threat Research Unit (TRU) analysts detected this LOTUSLITE variant. The malware’s links to Indian banking institutions became apparent during activity observed in March. TRU researchers highlighted the deliberate use of a Microsoft-signed executable as a means to bypass endpoint security checks, exploiting the general trust extended to Microsoft-signed files.

Persistent Cyber Threats and Espionage Goals

Once the LOTUSLITE backdoor is installed, it connects to a command-and-control (C2) server using dynamic DNS over HTTPS, allowing its traffic to blend with normal encrypted web communications. This backdoor grants the attacker remote shell access, file manipulation capabilities, and session management, ensuring a persistent presence on compromised systems. The backdoor’s design suggests a focus on espionage, prioritizing data gathering and sustained access over causing immediate disruptions.

The campaign shows connections to activities targeting Korea-related geopolitical interests, with similar infrastructure being used in operations referencing Korean policies and diplomatic entities. This suggests that the threat actor, potentially linked to the China-associated Mustang Panda group, operates on multiple fronts using a consistent toolset while tailoring content to each target audience.

DLL Sideloading: A Vulnerability Exploited

The campaign’s infection strategy hinges on exploiting the operating system’s trust in signed software. As the Microsoft_DNX.exe executes, it dynamically loads the LOTUSLITE DLL, redirecting execution into the attacker’s code via the DnxMain export function. This strategy relies on the executable’s signed status, which discourages security products from flagging it as suspicious.

Security analysts are encouraged to monitor for irregular DLL loading patterns from legitimate Microsoft executables and enforce application control policies that restrict DLL loading to verified paths. Any signed executable loading unverified DLLs from user-writable directories should raise suspicion, and endpoint detection tools focusing on behavioral analysis over file reputation offer the best defense against such attacks.