Cybercriminals are exploiting the critical Income Tax Return (ITR) filing season to launch sophisticated phishing attacks against Indian businesses. These campaigns, often amplified by public anxiety surrounding tax deadlines and potential refunds, employ high-fidelity lures designed to mimic official government communications and deliver persistent malware capable of full system compromise.
The latest wave of these threats begins with a spear-phishing email bearing the subject line, “Tax Compliance Review Notice,” purporting to originate from the Income Tax Department. While appearing official, closer examination reveals a suspicious Outlook[.]com sender address instead of a legitimate government domain. The email body is notably devoid of text, featuring only an embedded image designed to bypass standard text-based spam filters and create a false sense of urgency, researchers have noted. This tactic aims to directly prompt immediate action from unsuspecting recipients.
Advanced Infection Chain Targets Businesses During ITR Season
The sophisticated nature of these attacks is evident in their multi-stage infection chain. Recipients are urged to open an attachment labeled “Review Annexure.pdf,” which is crafted to resemble an authentic tax document. However, this PDF contains a malicious link that redirects users to a fraudulent compliance portal. According to analysis by Seqrite, upon visiting this site, users are prompted to download a ZIP archive. In a concerning move, the malicious actors instruct victims to disable their antivirus software, citing supposed “compatibility issues” to ensure the payload executes unchecked.
Once the victim engages with the downloaded payload, the technical complexity of the campaign becomes apparent. The infection process utilizes a two-stage NSIS installer. This installer meticulously unpacks multiple files, establishing a persistent presence on the compromised machine. The malware is not merely designed to exfiltrate data; it installs a self-starting service named NSecRTS.exe. This service ensures the malware operates continuously in the background, maintaining its foothold on the victim’s system.
Furthermore, the persistent malware communicates with Command and Control (C2) servers through non-standard ports, specifically identified as 48991 and 48992. Technical indicators observed by researchers, including the use of Simplified Chinese and specific code-signing certificates, suggest that the development tools and origin of this malware likely stem from a China-linked environment. This progression from a seemingly simple phishing email to a fully functional Remote Access Trojan (RAT) underscores the necessity for heightened vigilance and robust cybersecurity practices, especially during periods of heightened official activity like the Indian ITR filing season.
The Income Tax Department typically communicates through official channels and domains. Businesses and individuals should always verify the authenticity of communications, especially those requesting sensitive information or directing them to download files or visit external websites. Employing up-to-date antivirus software, maintaining system patches, and providing regular cybersecurity awareness training to employees are crucial defenses against such evolving threats. The ongoing nature of these attacks indicates that malicious actors will continue to adapt their tactics, making awareness and proactive security measures paramount for safeguarding against financial and data breaches.