Rust-based malware targets Indian government agencies

Rust-Based Malware

Indian government agencies and the defense sector are being targeted by a phishing campaign designed to remove Rust-based malware for intelligence gathering.

The activity, which was first detected in October 2023, has been codenamed Operation RusticWeb by corporate security company SEQRITE.

“New Rust-based payloads and encrypted PowerShell commands have been used to exfiltrate confidential documents into a web-based service engine, instead of a dedicated command-and-control (C2) server,” says security researcher Sathwik Ram Prakki said.

Tactical overlaps have been discovered between the cluster and the clusters widely tracked under the names Transparent Tribe and SideCopy, both of which are believed to be linked to Pakistan.

SideCopy is also a probably minor element within Transparent Tribe. Last month, SEQRITE detailed multiple campaigns undertaken by the threat actor targeting Indian government agencies to deliver numerous Trojans such as AllaKore RAT, Ares RAT, and DRat.

Other recent attack chains documented by ThreatMon have been used decoy Microsoft PowerPoint files like specially crafted RAR archives susceptible to CVE-2023-38831 for delivering malware, allowing unrestrained remote access and control.

“SideCopy APT Group’s infection chain involves multiple steps, each carefully orchestrated to ensure a successful compromise,” according to ThreatMon noted earlier this year.

The latest wave of attacks starts with a phishing email, using social engineering techniques to trick victims into interacting with malicious PDF files that drop Rust-based payloads for file system enumeration in the background while the decoy file is displayed to the victim.

Rust-based malware

Besides collecting interesting files, the malware is equipped to collect system information and send it to the C2 server, but lacks the features of other advanced stealer malware available in the cybercrime industry.

A second infection chain identified by SEQRITE in December uses a similar multi-stage process, but replaces the Rust malware with a PowerShell script that handles the enumeration and exfiltration steps.

But in an interesting twist, the payload is launched in the final stage via a Rust executable called ‘Cisco AnyConnect Web Helper’. The collected information is ultimately uploaded to oshi[.]at domain, an anonymous, public file sharing engine called OshiUpload.

“Operation RusticWeb could be linked to an APT threat as it has similarities with several Pakistan-affiliated groups,” Ram Prakki said.

The revelation comes almost two months after Cyble discovered a malicious Android app used by the DoNot team that targeted individuals in India’s Kashmir region.

The nation-state actor, also known as APT-C-35, Origami Elephant and SECTOR02, is believed to be of Indian descent and has a history of using Android malware to infiltrate people’s devices in Kashmir and Pakistan.

The variant examined by Cyble is a trojanized version of an open-source GitHub project called “KoranApp: read and discover” which is equipped with a wide range of spyware features to record audio and VoIP calls, take screenshots, collect data from various apps, download additional APK files and track the location of the victim.

“The DoNot group’s continued efforts to refine their tools and techniques underscore the continued threat they pose, especially in their attacks on individuals in India’s sensitive Kashmir region,” Cyble said. said.


#Rustbased #malware #targets #Indian #government #agencies

Notify of
Inline Feedbacks
View all comments
Previous Post
Nim-Based Malware

Decoy Microsoft Word documents used to deliver Nim-based malware

Next Post
WordPress Plugin

Fraudulent WordPress plugin exposes ecommerce sites to credit card theft

Related Posts