Indian government entities and the defense sector have been targeted by phishing campaigns designed to deliver Rust-based malware for intelligence gathering.
The activity was first detected in October 2023 and was codenamed RusticWeb Action Developed by enterprise security company SEQRITE.
“New Rust-based payloads and encrypted PowerShell commands have been used to exfiltrate confidential files to a web-based serving engine instead of a dedicated command and control (C2) server,” said security researcher Sathwik Ram Prakki.
Tactical overlap has been identified between this cluster and those of the widely tracked “Transparent Tribe” and “SideCopy” clusters, both of which are assessed to be linked to Pakistan.
SideCopy is also a suspiciously subordinate element in Transparent Tribe. Last month, SEQRITE detailed multiple campaigns launched by this threat actor targeting Indian government agencies to spread numerous Trojans including AllaKore RAT, Ares RAT, and DRat.
From user to administrator: Learn how hackers gain total control
Learn the secret tactics hackers use to become administrators and how to detect and stop it before it’s too late. Register now for our webinar.
Join now
Other recent attack chains documented by ThreatMon have used decoy Microsoft PowerPoint files and specially crafted RAR archives vulnerable to CVE-2023-38831 to spread malware, allowing unrestricted remote access and control.
ThreatMon noted earlier this year: “The SideCopy APT group’s infection chain involves multiple steps, each carefully planned to ensure a successful compromise.”
The latest set of attacks begins with phishing emails that use social engineering techniques to trick victims into interacting with malicious PDF files, which drop a Rust-based payload used to enumerate the file system in the background while sending the victim Show decoy files.
In addition to collecting files of interest, the malware can also collect system information and transmit it to a C2 server, but lacks the functionality of other advanced stealing malware found in the cybercrime underground.
A second infection chain discovered by SEQRITE in December used a similar multi-stage process, but replaced the Rust malware with a PowerShell script responsible for the enumeration and exfiltration steps.
But interestingly, the final stage payload is launched through a Rust executable called “Cisco AnyConnect Web Helper”. The collected information is finally uploaded to oshi[.]at domain, an anonymous public file sharing engine called OshiUpload.
“Operation RusticWeb may be related to the APT threat as it shares similarities with multiple groups linked to Pakistan,” Ram Prakki said.
Nearly two months ago, Cyble discovered a malicious Android app used by the DoNot team targeting individuals in Kashmir, India.
The nation-state attacker, also known as APT-C-35, Origami Elephant and SECTOR02, is believed to be of Indian origin and has a history of using Android malware to infiltrate devices of people in Kashmir and Pakistan.
The variant examined by Cyble is a Trojanized version of an open source GitHub project called “QuranApp: Read and Explore”, which is equipped with various spyware features and can record audio and VoIP calls, capture screenshots, and collect data from various applications. data, download other APK files and track the victim’s location.
“The DoNot group’s ongoing efforts to improve its tools and techniques underscore the ongoing threat they pose, particularly against individuals in India’s sensitive Kashmir region,” Sable said.
