A group of attackers believed to be from Pakistan has been targeting Indian military personnel in a data theft campaign involving social engineering and unsophisticated malware.
The operation, dubbed “C-Major,” was uncovered by Trend Micro researchers while observing other targeted attacks. Experts discovered that the attackers managed to steal information from at least 160 military officers, attachés, consultants and resellers from India, including copies of passports and photo IDs, financial information, strategy and tactical documents, and personal photographs.
According to the security firm, the attacks started with a bogus email sent to the targeted individual. The emails purport to come from organizations such as India’s Ministry of Defense and they’re designed to trick recipients into opening an attached file that looks like a harmless document.
Once the document is opened, an Adobe Reader vulnerability is exploited and a Trojan is dropped onto the victim’s system. The said piece of malware allows attackers to log keystrokes, steal passwords, record audio, steal files and capture screenshots.
Researchers determined that the attackers are not very sophisticated because the malware is compiled into a Microsoft Intermediate Language (MSIL) binary using Visual Studio, which allows for the Trojan to be easily decompiled.
The malware’s source code contained information on its command and control (C&C) servers, which, as Trend Micro discovered, had open directories where more than 16Gb of stolen information was stored.
One of the C&C servers, whose address had been hardcoded in the malware, was located in Pakistan, and used for both Windows and mobile versions of the threat. The same server is believed to have been used in an espionage operation aimed at the Android devices of Indian military personnel.
The fact that the server is located in Pakistan has led researchers to believe that at least some members of the hacker group are from this country, but Trend Micro says it hasn’t found any evidence that the data-theft campaign is sponsored by a nation state.
Another piece of evidence that has led experts to believe that the attackers are based in Pakistan is that the malware samples used by the group have been uploaded to VirusTotal and scanned multiple times from a user ID tied to Pakistan.
This campaign shows that even less sophisticated attackers can carry out successful operations, experts said.
“For those in charge of defending a corporate or organization network, this attack reinforces the fact that any user, regardless of rank or position, is susceptible in becoming the organization’s weakest security link,” Trend Micro said in a report detailing Operation C-Major. “As such, while network defenders should be prepared to help prevent, or minimize the damage of attacks, people who use the said network should likewise be knowledgeable of threats that could possibly come. The need for proper user awareness training is clear.”