wordpress blog stats
Connect with us

Hi, what are you looking for?

Malware programs with remote access targeted Indian govt, defence personnel: Report

Operation Armor Piercer marks another instance of highly motivated threat actors targetting India’s government agencies.

Malicious documents containing remote access trojans (RAT) were allegedly distributed to several Indian government and defence agency personnel to access confidential information, claimed Cisco Talos in a report.

The hacking operation termed “Armor Piercer” uses two RATs — Netwire RAT and WarzoneRAT (alias Ave Maria), and it was first observed in December 2020. The Cisco Talos report said that the RATs masqueraded as documents related to the Indian government’s Kavach Application.

What is Kavach? Kavach is a two-factor authentication application used by government employees to access their emails. There are multiple how-to-use Kavach documents available on the internet, issued by the Indian government. The malicious documents were modelled after these documents.

Operation Armor Piercer is a grim reminder of the vulnerabilities still existing in our cybersecurity posture. To ensure end-to-end security of India’s assets and information, government and defence agencies must implement a layered defence strategy that enables visibility and coverage across all endpoints. — Vishak Raman, Director, Security Business, Cisco India

MediaNama has reached out to the Indian Computer Emergency Response Team with queries pertaining to the alleged attack. The post will be updated when we receive a response.

Operation Armor Piercer is another instance of highly motivated threat actors using a set of RAT families to infect their victims. These RATs are packed with many out-of-the-box features to gain complete control over the infected systems. The use of RATs makes it challenging to track down the threat actors behind them.

Advertisement. Scroll to continue reading.

What do these malware documents contain?

The maldocs pose as documents related to either meeting schedules pertinent to the victims, or as technical guides related to the Government of India’s IT infrastructure. It is likely that these files are either delivered as attachments or links in spear-phishing emails where the verbiage is meant to social engineer the victims into opening the maldoc attachments or downloading them from an attacker-controlled link — Cisco Talos report

These are some of the file names used:

  • Security-Updates.docm
  • Online meeting schedule for OPS.doc
  • schedule2021.docm

In other cases, Cisco Talos found that these maldocs were fashioned after security advisories, meeting schedules, and software installation files.

How does it work?

  • When someone clicks on these documents, it will activate a payload.
  • The payload will download the malware from a remote location. “Throughout March and April 2021, the attackers utilized downloaders to download and execute the RAT payloads from remote locations,” the report said.
  • After that, the malware infects the system.

The Netwire and AveMaria RAT families are eventually downloaded and executed on the victim machine. In some cases, we’ve also discovered the deployment of custom .NET-based file enumerator modules that generate and exfiltrate file path listings of specific file extensions on the infected systems – Cisco Talos report

Source: Cisco Talos

What can the malware do?

This is what NetwireRAT (one of the two RATs that were identified by Cisco) can do —

  • Steal credentials from browsers
  • Execute arbitrary commands
  • Gather system information
  • Conduct file management operations such as write, read, copy, delete files, etc
  • Enumerate, terminate processes
  • Keylogging

AveMaria RAT can do a whole lot more, such as —

  • Enable attacker to log in to the remote machine without anyone knowing
  • Control computers remotely at 60 FPS using mouse and keyboard
  • Give attacker admin access with just one click
  • Recover passwords from popular browsers and email clients in seconds. These browsers include — Chrome, Firefox, Internet Explorer, Edge, Epic, UC, QQ, Opera, Blisk, SRWare, Dragon, Torch, Slimjet, Cent, Outlook, Thunderbird, and Foxmail.
  • Enable automatic password recovery to receive passwords without touching any buttons
  • Upload and download files at high speed
  • Browse the Internet with the remote computer’s IP address
  • If the remote computer has a webcam connected, the attacker can view the stream live. The attacker can also view the keys pressed on the remote computer in real time.

What is India’s cybersecurity strategy?

There has been a recent spurt in cyber attacks in India, including alleged attacks perpetrated by Chinese state actors. As of today, India still does not have a data protection law and the National Cyber Security Strategy which has been in the pipeline since 2019, has still not been finalised.

Also read:

Have something to add? Post your comment and gift someone a MediaNama subscription.

Written By

Among other subjects, I cover the increasing usage of emerging technologies, especially for surveillance in India

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



The US and other countries' retreat from a laissez-faire approach to regulating markets presents India with a rare opportunity.


When news that Walmart would soon accept cryptocurrency turned out to be fake, it also became a teachable moment.


The DSCI's guidelines are patient-centric and act as a data privacy roadmap for healthcare service providers.


In this excerpt from the book, the authors focus on personal data and autocracies. One in particular – Russia.  Autocracies always prioritize information control...


By Jai Vipra, Senior Resident Fellow at Vidhi Centre for Legal Policy The use of new technology, including facial recognition technology (FRT) by police...

You May Also Like


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ