Introduction
In a recent cybersecurity revelation, a malicious campaign named Operation RusticWeb has emerged as a significant threat to Indian government entities and the defense sector. Uncovered by enterprise security firm SEQRITE, this operation employs sophisticated phishing tactics and introduces novel techniques, showcasing a shift in the cybersecurity landscape.
The Rust-Based Malware Campaign
Identified in October 2023, Operation RusticWeb utilizes Rust-based malware with the primary objective of intelligence gathering. Unlike traditional attacks, this campaign avoids a conventional command-and-control (C2) server and opts for Rust-based payloads and encrypted PowerShell commands. The attackers exfiltrate confidential documents to a web-based service engine, adding a layer of complexity to the threat.
Security researcher Sathwik Ram Prakki highlights the use of new Rust-based payloads and encrypted PowerShell commands, emphasizing the departure from dedicated C2 servers in this operation.
Tactical Similarities and Threat Actors
Further analysis reveals tactical similarities between Operation RusticWeb and attacks associated with Transparent Tribe and SideCopy, both with strong ties to Pakistan. Previous campaigns outlined by SEQRITE implicated these threat actors in the delivery of trojans like AllaKore RAT, Ares RAT, and DRat to target Indian government bodies.
ThreatMon's documentation of recent attack chains uncovers the deployment of deceptive Microsoft PowerPoint files and specially crafted RAR archives. These tactics exploit vulnerabilities, such as CVE-2023-38831, facilitating malware delivery and granting attackers remote access and control.
Phishing Tactics and Infection Chains
The modus operandi of Operation RusticWeb begins with phishing emails, leveraging social engineering techniques to deceive victims into interacting with malicious PDF files. These files discreetly drop Rust-based payloads while displaying decoy content to the unsuspecting victim. The malware, in addition to collecting targeted files, is designed to gather system information and transmit it to the C2 server.
A different infection chain identified in December by SEQRITE follows a similar multi-stage process, replacing the Rust malware with a PowerShell script. This script manages enumeration and exfiltration, with the final-stage payload launched through a Rust executable named "Cisco AnyConnect Web Helper." The gathered information is then uploaded to the domain oshi[.]at, an anonymous public file-sharing engine known as OshiUpload.
Potential APT Link
Sathwik Ram Prakki emphasizes the potential link to an Advanced Persistent Threat (APT) threat, suggesting that Operation RusticWeb shares similarities with various Pakistan-linked groups. This adds a geopolitical dimension to the cyber threat landscape.
Parallel Threat: The DoNot Team's Android Malware
In a parallel discovery, cybersecurity researchers at Cyble uncover a malicious Android app used by the DoNot Team. This group, also known as APT-C-35, Origami Elephant, and SECTOR02, is believed to have Indian origins and targets individuals in the sensitive Kashmir region.
The trojanized app, a variant of the open-source GitHub project "QuranApp: Read and Explore," is equipped with spyware features. It can record audio and VoIP calls, capture screenshots, gather data from various apps, download additional APK files, and track the victim's location.
Conclusion: The Ongoing Threat Landscape
The cybersecurity landscape continues to evolve, with Operation RusticWeb and the DoNot Team's Android malware highlighting the persistent and sophisticated nature of cyber threats. As threat actors refine their tools and techniques, heightened vigilance and robust cybersecurity measures are imperative to safeguard against these evolving and targeted attacks. The interconnected nature of these threats underscores the need for international cooperation and information sharing to effectively combat cyber adversaries.
0 Comments