The threat actors exfiltrate sensitive documents via a web-based service engine, adding a layer of sophistication to their cyber-espionage tactics.
New Delhi, January 2024: Seqrite, the enterprise arm of global cybersecurity solutions provider Quick Heal, has unearthed ‘Operation RusticWeb’, a highly sophisticated cyber-espionage campaign meticulously orchestrated to target various personnel within the Indian government. While uncovering this cyber-espionage campaign, the researchers at Seqrite Labs, the cybersecurity research and response division of Quick Heal and India’s largest malware detection facility, have highlighted an alarming evolution in the tactics employed by threat actors.
Since October 2023, Seqrite Labs’ APT-Team has been diligently investigating the intricacies of Operation RusticWeb, uncovering a multifaceted approach that combines cutting-edge techniques and new-age programming languages. The campaign employs Rust-based malware and encrypted PowerShell commands, demonstrating a strategic shift towards more advanced and evasive methods of exfiltrating confidential documents.
The campaign is initiated with a phishing campaign targeting government personnel. Threat actors have exploited both compromised and fake domains to host malicious payloads and decoy files, ranging from IPR forms to fake domains mimicking prestigious organizations like the Army Welfare Education Society (AWES). The decoy files, designed to lure victims into the malicious web, include forms related to the Defense Services Officers Provident Fund and presentations on initiatives with the Ministry of Defense.
Operation RusticWeb uses Rust-based payloads and encrypted PowerShell commands. The threat actors exfiltrate sensitive documents via a web-based service engine, adding a layer of sophistication to their cyber-espionage tactics. The first observed infection chain heavily relied on Rust-based payloads, with a malicious shortcut file triggering an elaborate sequence leading to the exfiltration of sensitive data. The second infection chain, observed in December, deployed maldocs using encrypted PowerShell commands, showcasing the threat actors’ versatility and adaptability.
The final payload of Operation RusticWeb is rust-based malware that operates as a data stealer. This sophisticated malware not only steals files but also collects system information, ensuring extensive reconnaissance capability. The threat actors employ an anonymous public file-sharing engine, OshiUpload, for data exfiltration, avoiding the conventional use of dedicated command-and-control servers.
Operation RusticWeb is a prime example of the departure of threat actors from conventional cyber-attack methodologies and the adoption of newer programming languages such as Golang, Rust, and Nim, since they provide cross-compatibility and increase the difficulty of detection. The campaign draws parallels with Pakistan-linked APT groups, specifically Transparent Tribe (APT36) and SideCopy, underscoring the possibility of a larger, orchestrated cyber-espionage effort.
In the wake of rapidly evolving cyberthreats, Seqrite urges heightened caution and emphasizes the importance of implementing robust cybersecurity measures. The company remains committed to staying at the forefront of cybersecurity research, providing critical insights to safeguard individuals, organizations, and governments against evolving cyber threats.
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News, a proprietary of Mercadeo, produces award-winning content and resources for IT leaders across any industry through print articles and recorded video interviews on topics in the technology sector such as Digital Transformation, Artificial Intelligence (AI), Machine Learning (ML), Cloud, Robotics, Cyber-security, Data, Analytics, SOC, SASE, among other technology topics.
