Talos security researchers at Cisco have warned that a threat actor is using commercial remote access Trojan horses (RATs) to carry out a series of malicious attacks on Indian government and military personnel. Similar to the actions of APT36 (also known as Mythic Leopard and Transparent Tribe) and SideCopy, the attackers used Netwire and Warzone (AveMaria) RATs to decoy around the Kavach dual factor of the National Information Center (NIC) in India Authentication (2FA) application. APT36 and SideCopy were previously attributed to Pakistan and are state-supported threat behavior organizations.
As part of a new cyber attack codenamed “Armor Piercer” (Armor Piercer), the researchers observed that attackers used compromised websites and fake domain names as payload hosting, which is a strategy already associated with APT36 .
The attackers delivered various decoys to their selected target victims in the form of Office files and archived files, mainly disguised as guidelines and documents related to Indian government buildings, including Kavach (Indian “armor”).
As part of these attacks, the attackers also used server-side scripts to send malicious emails and used web shells to maintain a hidden presence on the infected website.
The commercial RAT Trojan used in these attacks provides the attacker with full control of the target system, and can also be used to deploy additional payloads on the occupied network.
The campaign seems to have been going on since December 2020, using Microsoft Office documents carrying malicious VBA macros to obtain and execute malicious loaders. The final payload is usually the RAT.
Between March and April 2021, downloaders were used to obtain and run RAT payloads. In May 2021, a c#-based downloader using a decoy URL was used, and in June, Pastebin was used To carry the payload. Throughout the event, the modified open source project was used to load the base. Net Trojan binary file, and then load the RAT remote control Trojan.
In addition to the Netwire and AveMaria RAT series, opponents have also deployed based on the compromised system. Net’s custom file enumerator module.
Netwire RAT allows attackers to steal credentials from the browser, run commands, obtain system information, manipulate files, enumerate and terminate processes, and perform keylogging.
AveMaria has a remote desktop function, can also capture images from webcams, steal credentials from browsers and email applications, manipulate files, execute commands, record keystrokes, enumerate and terminate processes, and deploy reverse shells.
Talos security researchers claim that using these RAT Trojans has a dual benefit to attackers-it makes attribution difficult and saves the cost of developing custom implants. However, starting in July 2021, they observed that the file enumerator was deployed together with the RAT Trojan. This shows that the attackers are expanding their malware library to target their victims: Indian military and government personnel.