Operation “Armor Piercer” Targeted Attacks using Commercial RATs


Thread author
Staff member
Malware Hunter
Jul 27, 2015
What's New?
Cisco Talos recently discovered a malicious campaign targeting government employees and military personnel in the Indian sub-continent with two commercial and commodity RAT families known as NetwireRAT (aka NetwireRC) and WarzoneRAT (aka Ave Maria). The attackers delivered a variety of lures to their targets, predominantly posing as guides related to Indian governmental infrastructure and operations such as Kavach and I.T.-related guides in the form of malicious Microsoft Office documents (maldocs) and archives (RARs, ZIPs) containing loaders for the RATs. Apart from artifacts involved in the infection chains, we've also discovered the use of server-side scripts to carry out operational tasks such as sending out malicious emails and maintaining presence on compromised sites via web shells. This provides additional insight into the attacker's operational TTPs. Some of these lures and tactics utilized by the attackers bear a strong resemblance to the Transparent Tribe and SideCopy APT groups, including the use of compromised websites and fake domains.

How did it Work?
This campaign uses a few distinct, yet simple, infection chains. Most infections use a maldoc that downloads and instruments a loader. The loader is responsible for downloading or decrypting (if embedded) the final RAT payload and deploying it on the infected endpoint. In some cases, we've observed the use of malicious archives containing a combination of maldocs, loaders and decoy images. The RAT payloads are relatively unmodified, with the command and control (C2) IPs and domains being the most pivotal configuration information.

So What?
This campaign illustrates another instance of a highly motivated threat actor using a set of commercial and commodity RAT families to infect their victims. These RATs are packed with many features out-of-the-box to achieve comprehensive control over the infected systems. It is also highly likely that these malware families establish footholds into the victim's networks to deploy additional plugins and modules.
Infection Chain.
The earliest instance of this campaign was observed in December 2020 utilizing malicious Microsoft Office documents (maldocs). These maldocs contain malicious VBA macros that download and execute the next stage of the infection — the malware loader. The maldocs' content ranges from security advisories, to meeting schedules, to software installation notes. These maldocs contain malicious macros that download and execute the next stage payload on the victim's endpoint. The final payload is usually a RAT that can perform a multitude of malicious operations on the infected endpoint. The maldocs pose as documents related to either meeting schedules pertinent to the victims, or as technical guides related to the Government of India's IT infrastructure. It is likely that these files are either delivered as attachments or links in spear-phishing emails where the verbiage is meant to social engineer the victims into opening the maldoc attachments or downloading them from an attacker-controlled link.
The attackers have relied on a combination of compromised websites and fake domains to carry out their operations — a tactic similar to that of the Transparent Tribe APT group. However, what stands out in this campaign is the focus on compromising quasi-military or government-related websites to host malicious payloads. This might have been done to appear legitimate to victims and analysts.