Government of India’s nodal cybersecurity body, CERT-In, has issued a warning to citizens about a dangerous online campaign involving fake emails appearing to be sent from Indian Income Tax Department. As emails from the Income Tax department are taken seriously by citizens, hackers are trying to take advantage of this by pushing malware disguised as an email from the Income Tax department. Here is everything you need to know about these ‘dangerous’ emails
These Income Tax emails have subject lines related to IT returns or statements
According to Cert, in order to lure people these fake emails have these subject lines: ‘Important: Income Tax Outstanding Statements A.Y 2017-2018’ or ‘Income Tax statement’.
These ‘dangerous Income Tax’ emails started circulating around September 12
The fake income tax emails are usually sent from domain named ‘incometaxindia[.]info’
Two variants of these fake emails: Attachment with extension ‘.img’ and ‘.pif’ file
CERT-In has found two variants of fake emails. The first variant includes an attachment with extension “.img” which contains a malicious “.pif” file. The second variant lures the users to download a malicious “.pif” file hosted on a Sharepoint page via a link of fraudulent domain incometaxindia[.]info
Emails are aimed at stealing personal information, warns CERT-In
According to CERT-In, the malicious attachments containing “.pif” files contact a Command and Control server to modify the Windows registry and try to steal user’s personal information.
The campaign is similar to the “Ave-Maria” malware observed earlier
This campaign is particularly dangerous because it has similarities with the “Ave-Maria” malware which came with DLL hijacking capability that allowed it to get advanced admin access and bypass traditional detection methods. This malware can also secretly download other plugins and malicious content.
It is highly recommended not to open documents from untrusted emails, also disable running macros in MS Office by default
CERT-IN is suggesting businesses to do these changes to prevent unauthorised access
CERT-In suggested users to restrict execution of Powershell /WSCRIPT in enterprise environment. Ensure installation and use of the latest version of PowerShell with enhanced logging enabled, script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis. Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints.Implement application whitelisting/strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths.