Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Threat Actor Targets Indian Government With Commercial RATs

A threat actor is employing commercial remote access Trojans (RATs) in a series of malicious attacks targeting Indian government and military personnel, Cisco’s Talos security researchers warn.

A threat actor is employing commercial remote access Trojans (RATs) in a series of malicious attacks targeting Indian government and military personnel, Cisco’s Talos security researchers warn.

Showing similarities with the operations of APT36 (aka Mythic Leopard and Transparent Tribe) and SideCopy, the attacks employed the Netwire and Warzone (AveMaria) RATs, with lures themed around the Kavach two-factor authentication (2FA) application from India’s National Informatics Centre (NIC).

APT36 and SideCopy were previously linked to Pakistan and are believed to be state-sponsored threat groups.

As part of the new campaign, dubbed Operation Armor Piercer, the adversaries were observed using both compromised websites and fake domains for payload hosting, a tactic already associated with APT36.

The attackers delivered to their intended victims various lures in the form of Office documents and archive files, mainly posing as guides and documentation related to the Indian government’s architecture, including Kavach.

As part of these attacks, the adversary also used server-side scripts for sending malicious emails, and maintained presence on infected websites using web shells.

The commodity RATs employed in these attacks provide the adversary with comprehensive control over the targeted systems and could also be used to deploy additional payloads onto the compromised network.

The campaign appears to have been ongoing since December 2020, employing Microsoft Office documents carrying malicious VBA macros designed to fetch and execute a malware loader. The final payload is usually a RAT.

Between March and April 2021, downloaders were used to fetch and run the RAT payloads, in May 2021 a C#-based downloader using a decoy URL was employed, while in June, Pastebin was being used to host the payloads. Throughout the campaign, modified open-source projects were used to load trojanized .NET-based binaries that would then load the RATs.

In addition to the Netwire and AveMaria RAT families, the adversary also deployed custom .NET-based file enumerator modules onto the compromised systems.

The Netwire RAT allows the attacker to steal credentials from browsers, run commands, harvest system information, manipulate files, enumerate and kill processes, and perform keylogging.

AveMaria features remote desktop capabilities and can also capture images from the webcam, steal credentials from browsers and email applications, manipulate files, execute commands, log keystrokes, enumerate and terminate processes, and deploy reverse shells.

“The use of these RATs benefits an adversary twofold — it makes attribution difficult and saves the effort to create bespoke implants. Beginning in July 2021, however, we observed the deployment of the file enumerators alongside the RATs. This indicates that the attackers are expanding their malware arsenal to target their victims: military and government personnel in India,” Talos concludes.

Related: Russia-Linked Turla APT Uses New Backdoor in Latest Attacks

Related: The Ongoing Reciprocal Relationship Between APTs and Cybercriminals

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.