Security News > 2022 > December > Researchers Warn of Kavach 2FA Phishing Attacks Targeting Indian Govt. Officials

A new targeted phishing campaign has zoomed in on a two-factor authentication solution called Kavach that's used by Indian government officials.

LNK files are used to initiate code execution which eventually downloads and runs a malicious C# payload, which functions as a remote access trojan," Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a new report.

The latest attack sequence observed by Securonix over the past couple of weeks entails using phishing emails to lure potential victims into opening a shortcut file to execute a remote.

HTA file leads to the execution of obfuscated JavaScript code that's designed to show a decoy image file that features an announcement from the Indian Ministry of Defence a year ago in December 2021.

The exfiltration component also includes an option to specifically search for a database file created by the Kavach app on the system to store the credentials.

It's worth noting that the aforementioned infection chain was disclosed by the MalwareHunterTeam in a series of tweets on December 8, 2022, describing the remote access trojan as MargulasRAT. "Based on correlated data from the binary samples obtained of the RAT used by the threat actors, this campaign has been going on against Indian targets undetected for the last year," the researchers said.

News URL

https://thehackernews.com/2022/12/researchers-warn-of-kavach-2fa-phishing.html