Cisco Talos recently discovered a malicious campaign targeting government and military personnel in India, using commercial Remote Access Trojans (RATs).
The attackers targeted their victims with two commercial and commodity families known as NetwireRAT (aka NetwireRC) and WarzoneRAT (aka Ave Maria).
In a recent blog post, Cisco Talos researchers detailed their findings on how Armor Piercer distributes malicious documents to deliver Remote Access Trojans (RATs) and gain access to highly confidential agency-related information. government and defense.
RATs are used by attackers to gain full control of a user’s system.
Simple infection chains used
According to the blog, the campaign used relatively simple and straightforward chains of infection to infect a user’s system unlike other APT attacks.
“The attackers did not develop malware or bespoke infrastructure management scripts to carry out their attacks, but the use of prefabricated artifacts does not decrease the lethality of these attacks,” it reads. the blog.
“In fact, out-of-the-box artifacts such as RATs and commodity or cracked shippers allow attackers to quickly operationalize new campaigns while focusing on their key tactic: getting victims to infect themselves. themselves, “he added.
Attract users with ‘Kavach’
As part of the campaign, cyber attackers lured their victims by using resources around operational documents relating to “Kavach”, a two-factor authentication (2FA) application operated by the National Informatics Center (NIC) of India and used by government employees to access their e-mail.
It used compromised websites and fake domains to host malicious payloads.
The first example of this campaign was seen in December 2020, where attackers used malicious MS Office documents called maldocs, disguised as security advisories, meeting calendars, software installation guides, etc.
In the case of most infections, maldocs are used for downloading and instrumenting a loader. The loader is then responsible for downloading or decrypting (if integrated) the final RAT payload and deploying it to the infected endpoint. In some cases, the team observed the use of malicious archives containing a combination of maldocs, loaders, and decoy images.
“As with all advanced threats that are quickly becoming more sophisticated, this campaign has been found to use multiple techniques and has evolved to mask itself and remain in the victim’s environment, bypassing standard detection techniques – it continues to work even today, “he said.
The RATs used by attackers included several out-of-the-box features to gain complete control over infected systems.
âAdditionally, since July 2021, Talos researchers have also observed the deployment of file enumerators alongside RATs, indicating that attackers are expanding their arsenal to target their victims,â he said.
Vishak Raman, Director of Security Activities, Cisco India and SAARC, said: âOperation Armor Piercer is a grim reminder of the vulnerabilities still existing in our cybersecurity posture. “
âTo ensure the end-to-end security of India’s most valuable assets and information, government and defense agencies must implement a layered defense strategy that enables comprehensive visibility and coverage at all points. termination, accelerate response by leveraging automation and orchestration to enrich data, and reduce massive datasets into actionable insights through AI / ML and data analytics. Essentially, security should not be built in, but rather built into every system and process to ensure foolproof protection of people and assets, âRaman said.
There is no single solution to these cybersecurity problems. A layered defense system is needed for organizations to thwart such attacks.