Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Attackers Target Indian Military in Data-Theft Campaign

A group of attackers believed to be from Pakistan has been targeting Indian military personnel in a data theft campaign involving social engineering and unsophisticated malware.

A group of attackers believed to be from Pakistan has been targeting Indian military personnel in a data theft campaign involving social engineering and unsophisticated malware.

The operation, dubbed “C-Major,” was uncovered by Trend Micro researchers while observing other targeted attacks. Experts discovered that the attackers managed to steal information from at least 160 military officers, attachés, consultants and resellers from India, including copies of passports and photo IDs, financial information, strategy and tactical documents, and personal photographs.

According to the security firm, the attacks started with a bogus email sent to the targeted individual. The emails purport to come from organizations such as India’s Ministry of Defense and they’re designed to trick recipients into opening an attached file that looks like a harmless document.

Once the document is opened, an Adobe Reader vulnerability is exploited and a Trojan is dropped onto the victim’s system. The said piece of malware allows attackers to log keystrokes, steal passwords, record audio, steal files and capture screenshots.

Researchers determined that the attackers are not very sophisticated because the malware is compiled into a Microsoft Intermediate Language (MSIL) binary using Visual Studio, which allows for the Trojan to be easily decompiled.

The malware’s source code contained information on its command and control (C&C) servers, which, as Trend Micro discovered, had open directories where more than 16Gb of stolen information was stored.

One of the C&C servers, whose address had been hardcoded in the malware, was located in Pakistan, and used for both Windows and mobile versions of the threat. The same server is believed to have been used in an espionage operation aimed at the Android devices of Indian military personnel.

The fact that the server is located in Pakistan has led researchers to believe that at least some members of the hacker group are from this country, but Trend Micro says it hasn’t found any evidence that the data-theft campaign is sponsored by a nation state.

Advertisement. Scroll to continue reading.

Another piece of evidence that has led experts to believe that the attackers are based in Pakistan is that the malware samples used by the group have been uploaded to VirusTotal and scanned multiple times from a user ID tied to Pakistan.

This campaign shows that even less sophisticated attackers can carry out successful operations, experts said.

“For those in charge of defending a corporate or organization network, this attack reinforces the fact that any user, regardless of rank or position, is susceptible in becoming the organization’s weakest security link,” Trend Micro said in a report detailing Operation C-Major. “As such, while network defenders should be prepared to help prevent, or minimize the damage of attacks, people who use the said network should likewise be knowledgeable of threats that could possibly come. The need for proper user awareness training is clear.”

Related: Cybercriminals Target Bank Accounts of Firms in UK, US, India

Related: LeChiffre Ransomware Hits Indian Banks, Pharma Company

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.