Threat Actor Targets Indian Government With Commercial RATs

A threat actor is employing commercial remote access Trojans (RATs) in a series of malicious attacks targeting Indian government and military personnel, Cisco’s Talos security researchers warn.

Showing similarities with the operations of APT36 (aka Mythic Leopard and Transparent Tribe) and SideCopy, the attacks employed the Netwire and Warzone (AveMaria) RATs, with lures themed around the Kavach two-factor authentication (2FA) application from India’s National Informatics Centre (NIC).

APT36 and SideCopy were previously linked to Pakistan and are believed to be state-sponsored threat groups.

As part of the new campaign, dubbed Operation Armor Piercer, the adversaries were observed using both compromised websites and fake domains for payload hosting, a tactic already associated with APT36.

The attackers delivered to their intended victims various lures in the form of Office documents and archive files, mainly posing as guides and documentation related to the Indian government’s architecture, including Kavach.

As part of these attacks, the adversary also used server-side scripts for sending malicious emails, and maintained presence on infected websites using web shells.

The commodity RATs employed in these attacks provide the adversary with comprehensive control over the targeted systems and could also be used to deploy additional payloads onto the compromised network.

The campaign appears to have been ongoing since December 2020, employing Microsoft Office documents carrying malicious VBA macros designed to fetch and execute a malware loader. The final payload is usually a RAT.

Between March and April 2021, downloaders were used to fetch and run the RAT payloads, in May 2021 a C#-based downloader using a decoy URL was employed, while in June, Pastebin was being used to host the payloads. Throughout the campaign, modified open-source projects were used to load trojanized .NET-based binaries that would then load the RATs.

In addition to the Netwire and AveMaria RAT families, the adversary also deployed custom .NET-based file enumerator modules onto the compromised systems.

The Netwire RAT allows the attacker to steal credentials from browsers, run commands, harvest system information, manipulate files, enumerate and kill processes, and perform keylogging.

AveMaria features remote desktop capabilities and can also capture images from the webcam, steal credentials from browsers and email applications, manipulate files, execute commands, log keystrokes, enumerate and terminate processes, and deploy reverse shells.

“The use of these RATs benefits an adversary twofold — it makes attribution difficult and saves the effort to create bespoke implants. Beginning in July 2021, however, we observed the deployment of the file enumerators alongside the RATs. This indicates that the attackers are expanding their malware arsenal to target their victims: military and government personnel in India,” Talos concludes.

Related: Russia-Linked Turla APT Uses New Backdoor in Latest Attacks

Related: The Ongoing Reciprocal Relationship Between APTs and Cybercriminals