Operation “Armor Piercer” Targeted Attacks using Commercial RATs

upnorth

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
Content source
https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html
What's New?
Cisco Talos recently discovered a malicious campaign targeting government employees and military personnel in the Indian sub-continent with two commercial and commodity RAT families known as NetwireRAT (aka NetwireRC) and WarzoneRAT (aka Ave Maria). The attackers delivered a variety of lures to their targets, predominantly posing as guides related to Indian governmental infrastructure and operations such as Kavach and I.T.-related guides in the form of malicious Microsoft Office documents (maldocs) and archives (RARs, ZIPs) containing loaders for the RATs. Apart from artifacts involved in the infection chains, we've also discovered the use of server-side scripts to carry out operational tasks such as sending out malicious emails and maintaining presence on compromised sites via web shells. This provides additional insight into the attacker's operational TTPs. Some of these lures and tactics utilized by the attackers bear a strong resemblance to the Transparent Tribe and SideCopy APT groups, including the use of compromised websites and fake domains.

How did it Work?
This campaign uses a few distinct, yet simple, infection chains. Most infections use a maldoc that downloads and instruments a loader. The loader is responsible for downloading or decrypting (if embedded) the final RAT payload and deploying it on the infected endpoint. In some cases, we've observed the use of malicious archives containing a combination of maldocs, loaders and decoy images. The RAT payloads are relatively unmodified, with the command and control (C2) IPs and domains being the most pivotal configuration information.

So What?
This campaign illustrates another instance of a highly motivated threat actor using a set of commercial and commodity RAT families to infect their victims. These RATs are packed with many features out-of-the-box to achieve comprehensive control over the infected systems. It is also highly likely that these malware families establish footholds into the victim's networks to deploy additional plugins and modules.
Click to expand...
Infection Chain.
The earliest instance of this campaign was observed in December 2020 utilizing malicious Microsoft Office documents (maldocs). These maldocs contain malicious VBA macros that download and execute the next stage of the infection — the malware loader. The maldocs' content ranges from security advisories, to meeting schedules, to software installation notes. These maldocs contain malicious macros that download and execute the next stage payload on the victim's endpoint. The final payload is usually a RAT that can perform a multitude of malicious operations on the infected endpoint. The maldocs pose as documents related to either meeting schedules pertinent to the victims, or as technical guides related to the Government of India's IT infrastructure. It is likely that these files are either delivered as attachments or links in spear-phishing emails where the verbiage is meant to social engineer the victims into opening the maldoc attachments or downloading them from an attacker-controlled link.
Click to expand...
The attackers have relied on a combination of compromised websites and fake domains to carry out their operations — a tactic similar to that of the Transparent Tribe APT group. However, what stands out in this campaign is the focus on compromising quasi-military or government-related websites to host malicious payloads. This might have been done to appear legitimate to victims and analysts.
Click to expand...
blog.talosintelligence.com

Operation “Armor Piercer:” Targeted attacks in the Indian subcontinent using commercial RATs

By Asheer Malhotra, Vanja Svajcer and Justin Thattil. * Cisco Talos is tracking a campaign targeting government personnel in India using themes and tactics similar to APT36 (aka Mythic Leopard and Transparent Tribe). * This campaign distributes malicious documents and archives to deliver the...
blog.talosintelligence.com blog.talosintelligence.com
 
  • Like
  • +Reputation
Reactions: Mercenary, Gandalf_The_Grey, Andy Ful and 4 others
You must log in or register to reply here.

Similar threads

Bot
    • Like
    • +Reputation
Security News New Phishing Attack Uses Clever Microsoft Office Trick to Deploy NetSupport RAT
Replies
0
Views
877
Security News
Bot
Bot
silversurfer
    • Like
    • +Reputation
MULTI#STORM Campaign Targets India and U.S. with Remote Access Trojans
Replies
0
Views
878
News Archive
silversurfer
silversurfer
silversurfer
    • Like
    • +Reputation
    • Wow
Fruity Trojan Uses Deceptive Software Installers to Spread Remcos RAT
Replies
4
Views
1,295
News Archive
Xeno1234
Xeno1234

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top