Cisco Talos recently discovered a malicious campaign targeting government employees and military personnel in India, using commercial Remote Access Trojans (RATs).

Attackers targeted their victims with two commercial and commodity families known as NetwireRAT (aka NetwireRC) and WarzoneRAT (aka Ave Maria).

In a recent blog post, Cisco Talos researchers detailed their findings on how Armor Piercer distributes malicious documents to deliver Remote Access Trojans (RATs) and gain access to highly confidential information related to government and defence agencies.

RATs are used by attackers to gain full control of a user's system.

Simple infection chains used

According to the blog, the campaign leveraged relatively simple and straightforward infection chains to infect a user's system unlike other APT attacks.

"The attackers have not developed bespoke malware or infrastructure management scripts to carry out their attacks, but the use of pre-baked artefacts doesn’t diminish the lethality of these attacks," read the blog.

"In fact, ready-made artefacts such as commodity or cracked RATs and mailers allow the attackers to rapidly operationalise new campaigns while focusing on their key tactic: tricking victims into infecting themselves," it added.

Luring users with 'Kavach'

As part of the campaign, cyber attackers lured their victims using resources around operational documents pertaining to “Kavach”, a two-factor authentication (2FA) app operated by India’s National Informatics Centre (NIC) and used by government employees to access their e-mails.

It utilised compromised websites and fake domains to host malicious payloads.

The earliest instance of this campaign was observed in December 2020, where attackers used malicious MS Office documents known as maldocs, disguised as security advisories, meeting schedules, software installation guides, etc.

In the case of most infections, maldocs are used for download and instruments a loader. The loader is then responsible for downloading or decrypting (if embedded) the final RAT payload and deploying it on the infected endpoint. In some cases, the team observed the use of malicious archives containing a combination of maldocs, loaders and decoy images.

"As with all advanced threats that are rapidly becoming more sophisticated, this campaign was found to be using multiple techniques and evolved to obfuscate itself and remain in the victim’s environment, evading standard detection techniques – it continues to operate even today," it said.

The RATs used by the attackers included multiple out-of-the-box features, to gain complete control over the infected systems.

"In addition, since July 2021, Talos researchers have also observed the deployment of file enumerators alongside RATs, indicating that the attackers are expanding their arsenal to target their victims," it said.

Vishak Raman, Director, Security Business, Cisco India and SAARC, said, “Operation Armor Piercer is a grim reminder of the vulnerabilities still existing in our cybersecurity posture."

"To ensure the end-to-end security of India’s most precious assets and information, government and defence agencies must implement a layered defence strategy that enables comprehensive visibility and coverage across all endpoints, accelerates response by leveraging automation and orchestration to enrich data, and reduces massive data sets into actionable insights through AI/ML and data analytics. Essentially, security must not be bolted on, rather built into every system and process to ensure infallible protection of people and assets," said Raman.

There is no one solution to such cybersecurity issues. A layered defence system is necessary for organisations to thwart such attacks.

Related Topics
comment COMMENT NOW