Cybersecurity researchers have identified a new threat campaign targeting Windows users in India, utilizing fake income tax documents to distribute malware. The campaign, known as TAX#TRIDENT, has been tracked for its ability to employ multiple delivery methods while maintaining a convincing tax-related disguise.
How the Attack Operates
The campaign’s success does not rely on technical vulnerabilities but rather on tricking victims into accepting the authenticity of the malicious files. Fake Indian Income Tax assessment pages are used to coax users into downloading what appears to be genuine government documents. Once a user attempts to download the fake document, they unknowingly introduce a malicious file into their system.
Researchers from Securonix revealed that the campaign runs three distinct infection chains, all beginning with the same tax-related theme but diverging in execution. This flexibility allows attackers to adapt their methods if one avenue faces obstruction.
Details of the Attack Chains
The first infection path directs users to a counterfeit Indian Income Tax site, convincing them to download a ZIP file named ‘Assessment Letter.zip.’ This file contains a signed Windows executable, which installs a remote management client, allowing persistent access to the compromised system.
The second path involves a VBScript file named ‘Assessment_Order.vbs,’ served through various fake tax domains. This script silently installs the same remote management client while displaying a decoy tax image. Despite variations in domains and server addresses, the core malicious payload remains unchanged, as confirmed by identical SHA256 hashes.
Mitigation and Defense Strategies
Security experts recommend a focus on behavioral detection over domain or filename blocklists. Indicators such as unusual filenames, hidden directories, and abnormal network traffic should be prioritized. Monitoring script execution and changes to UAC policies is crucial for early detection.
The campaign’s third chain deviates by downloading a ManageEngine UEMS agent, which is then configured to connect to an attacker-controlled server. This method leverages legitimate software to create a covert remote access channel, complicating detection efforts.
Conclusion and Recommendations
The ongoing adaptability of the TAX#TRIDENT campaign poses significant challenges to cybersecurity defenses. By constantly evolving its delivery methods and maintaining core tactics, it remains a persistent threat. Users are advised to avoid downloading unsolicited tax-related files and to remain vigilant against unexpected prompts for downloads.
Security teams should enhance monitoring capabilities to detect and respond to suspicious activities effectively. A focus on behavioral signals rather than static indicators will be key in combating such sophisticated threats.
