Hackers impersonate tax office to scam Indian workers


Tax time is never fun. It involves combing the home and office for receipts from months ago, then scrambling to submit a tax return before the deadline ends. The one bright spot in this process is the income tax return.

LMNTRIX researchers have uncovered a malware campaign launched last month, targeting Indian citizens awaiting their hard-earned tax returns with spoofed emails claiming to be from the Reserve Bank of India (RBI).

The malicious emails claim to contain information about the victim’s tax return, but in reality the email has been weaponized to harvest usernames and passwords, banking credentials, create backdoors and launch JavaScript miners from the browser. 

From our analysis, it seems the campaign’s current focus is harvesting credentials and using them to further propagate the malware by sending spam emails from mass mailers using the harvested mail credentials. 

The campaign’s genesis in September is perfectly timed to take advantage of tax payers awaiting tax returns – India’s tax return deadline was this year extended to August 31, with a processing time of one-to-three months, most citizens would be expecting to receive their returns from September.

Technical Analysis

Network Analysis

This campaign’s spam emails are sent from the spoofed sender name “R.B.I. Tax” and contains an embedded link for users to click on for more information. After digging into this URL, we discovered it downloads a compressed file named “Tax Payment Challan.zip” which contains a malicious binary “Tax Payment Challan.exe”:

While at first glance, the link appears to send users to a legitimate government website, it actually sends users to www[.]womenpowerconnect[.]org. A meta-redirect then downloads the malicious file from www[.]colortile[.]in. This leads us to believe that both domains have been compromised to serve malicious files:


A quick OSINT check confirmed our suspicions. The womenpowerconnect[.]org domain has been associated with serving multiple malware types, such as, lokibot, since December 2015. The domain colortile[.]in has also been recently scanned for malicious URLs and files.

We then noticed a common method of using meta-tags to redirect to other domains for downloading the malicious compressed file. By following this pattern, we were able to identify seven more domains, for a total of 9 compromised websites:

•    womenpowerconnect[.]org

•    colortile[.]in

•    dynamictechnologies[.]in

•    superiorsystems[.]co[.]in

•    jpdecor[.]in

•    edufeez[.]com

•    pragatilogistic[.]com

•    alreadyhost[.]ithinq[.]net

•    pinnacleprojects[.]co[.]in

Another common pattern we noticed was the naming convention for malicious HTML files. All the malicious HTML files had the same name – 404[.]htm. During our analysis, we also uncovered additional malicious samples in the above compromised websites, including fake net-banking login pages for two prominent Indian Banks, Bank of India and IndusIND, and several other malicious executables.

This indicates the attackers are not only sophisticated, they are also prolific, having carried out multiple attack campaigns with varying techniques and malware. 

Another common thread which linked many of the malicious files discovered in the compromised URLs was a malicious JavaScript snippet:

Most of the URLs included a script which referenced srcips[.]com – a domain which was very recently created.


Upon analyzing, we found this to be a nested call to an obfuscated miner script in JavaScript hosted on www[.]hostingcloud[.]science. The analysis of the miner script is available on Virustotal.  On de-obfuscating the script, we were able to find domains which worked as nodes for the mining activity. A list of the same is available further below in the IOC section.

Static Binary Analysis

•    Filename: Tax Payment Challan.exe

•    Sha256: ba02c6fc3782aa885633fea69a12768dee8b42726babb120b953d35b4537c37a


This malware, compiled on 19 October 2018 02:38:33, seems to share the same codebase as a polymorphic malware which was first seen in the wild in November 2010. 

General Characteristics 

The binary is a PE32 GUI executable written in Microsoft Visual Basic 6. As already mentioned, the file is delivered via a spam email, inside a compressed zip file. The file metadata states it was developed and used by CENPAP Research and Consultancy, Hyderabad, India for the purpose of employee tracking and monitoring.

The file contains many Windows API calls which are not part of the Import Address Table. The executable uses a variety of VM detection techniques to evade analysis, including checking for registry keys, sandbox presence and CPU ID.


The entropy of the .text section is unusually high (5.89) which points to the presence of additional assembly code.

Antivirus Detection Results 

VirusTotal scans show that 24 out of 67 vendors have identified this file as malicious. The common families it belongs to are Johnnie Worm, Dropper and Key Logger. 

File System IOC

File Created: jpomdvf.exe inside C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Registry IOC

Writes to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

1.    UNCAsIntranet = 0

2.    AutoDetect = 1

Writes to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Tax Payment Challan_RASAPI32

1.    EnableFileTracing = 0

2.    EnableConsoleTracing = 0

Writes to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Tax Payment Challan_RASMANCS

1.    EnableFileTracing = 0

2.    EnableConsoleTracing = 0

Writes to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

1.    ProxyEnable = 0

Behavior and Control Flow

1.    Checks for VM detection from values in Registry key SYSTEM\ControlSet001\Services\Disk\Enum for *VBOX*, VIRTUAL*, *VMWARE* - in reverse using rtcStrReverse function.

2.    Checks for Sandbox presence - Sandboxie and WinDbg, by checking for sbiedll.dll and dbghelp.dll in Modules loaded with the executable using GetCurrentProcessId(), CreateToolhelp32Snapshot(), Module32First() and Module32Next().

3.    Creates a copy of itself to the Startup folder using RtlMoveMemory().

4.    Executes itself from the Startup folder using ShellExecuteA().

5.    Reads Internet Settings and RDP Settings from Registry.

6.    Adds hooks to read input from Keyboard and Mouse.

7.    Logs all keystrokes.

On decompiling the executable to equivalent VB code, we noticed a number of forms and modules with very unusual names in native Indian languages. We also noticed some strings in those functions written in Hindi:


The campaign propagates by harvesting credentials and using them to send more spam mails in order to collect even more credentials. At this stage, it looks as though the threat actors are collecting and discovering assets, while using the existing ones to deliver and stage malicious files. We can assume that the threat actors will ultimately use the compromised assets to take their campaign to the next step, although at this moment we are not sure what this next stage would entail. As of now, those behind the campaign are targeting only users on the Indian subcontinent.


Security analysts should update threat intelligence data stores with the below IOCs:

Indicators of Compromise 


•    womenpowerconnect[.]org/wp-content/themes/twentyfifteen/js/404[.]htm

•    colortile[.]in/backup/font/404[.]htm

•    colortile[.]in/backup/youtube_api/404[.]htm

•    colortile[.]in/backup/font/404[.]htm

•    jpdecor[.]in/404[.]htm

•    jpdecor[.]in/themes/css/404[.]htm

•    jpdecor[.]in/images/404[.]htm

•    colortile[.]in/class/Tax%20Payment%20Challan[.]zip 

•    colortile[.]in/action/TDS%20Challan[.]zip 

•    dynamictechnologies[.]in/demo/images/file/assets/css/Tax%20Payment%20Challan[.]zip 

•    superiorsystems[.]co[.]in/please/css/Tax%20Payment%20Challan[.]zip 

•    jpdecor[.]in/themes/js/Tax Payment Challan[.]zip 

•    jpdecor[.]in/js/Tax%20Payment%20Challan[.]zip 

•    jpdecor[.]in/css/img/Tax%20Payment%20Challan[.]zip 

•    jpdecor[.]in/lightbox/css/Tax%20Payment%20Challan[.]zip 

•    pragatilogistic[.]com/wp-content/themes/Pragati/fonts/Tax%20Payment%20Challan[.]zip 

•    pinnacleprojects[.]co[.]in/wp-content/themes/pinnacle/css/Tax%20Payment%20Challan[.]zip 

•    edufeez[.]com/AYOUR/INFOTEK/online/INDUDD-HTML/

•    alreadyhost[.]ithinq[.]net/wp-content/themes/twentyfifteen/css/bankofindia/boiindex[.]html

•    srcips[.]com 

•    hostingcloud[.]science[.]

•    freecontent[.]faith[.] 

•    freecontent[.]party[.] 

•    freecontent[.]science[.] 

•    freecontent[.]trade[.] 

•    hostingcloud[.]accountant[.] 

•    hostingcloud[.]bid[.] 

•    hostingcloud[.]date[.] 

•    hostingcloud[.]download[.] 

•    hostingcloud[.]faith[.] 

•    hostingcloud[.]loan[.] 

•    jshosting[.]bid[.] 

•    jshosting[.]date[.] 

•    jshosting[.]download[.] 

•    jshosting[.]loan[.] 

•    jshosting[.]party[.] 

•    jshosting[.]racing[.] 

•    jshosting[.]review[.] 

•    jshosting[.]stream[.] 

•    jshosting[.]trade[.] 

•    jshosting[.]win[.]

Hashes (SHA256)

















Next Steps

Moving ahead, we will continue tracking this campaign and all the related IOCs in order to identify the next stage in the threat actors’ plan. 

In the next post, we will dive deep into the executables collected during this analysis and perform dynamic analysis, reporting the variations among them.

On 2018-10-25

Popular Posts

Privacy Statement | Terms of Use