January 21, 2016
During the last three months, Symantec has observed malicious emails claiming to be from the Income Tax Department of India. There have been at least two types of emails in circulation. While each email differs in its template, the goal is the same: to infect computers with an information-stealing Trojan that logs keystrokes. The Trojan also collects system information such as titles of open windows and the operating system version, which are sent back to the attacker’s command and control (C&C) server.
Symantec Security Response has observed two types of emails masquerading as the Indian Income Tax Department. The most popular type announces that thousands of rupees have been deducted from the recipient’s bank account as a tax payment. The emails also contain an attached file that claims to be a receipt for the payment. The alleged receipts are .zip files that contain information-stealing malware that Symantec detects as Infostealer.Donx.