A sophisticated campaign, Operation FlightNight, targeted Indian government sectors, including Defence, IT and Energy, starting on March 7, using advanced techniques and modified open-source tools.
The attack vector employed by the threat actor involved using a modified version of HackBrowserData, an open-source information stealer software tool. This modified tool was concealed within a phishing email crafted to deceive the receiver, posing as an invitation letter from the Indian Air Force.
Upon opening the attached ISO file, victims encounter a malicious LNK file disguised as an invitation letter. Executing this LNK file triggers the deployment of the hidden malware, initiating the exfiltration of sensitive data from victim devices.
“Analysts identified that multiple government entities in India have been targeted, including agencies responsible for electronic communications, IT governance, and national defence,” said the Cybersecurity analysts at EclecticIQ.
The malicious software generates a TXT file named Bkdqqxb.txt within the %TEMP% directory, employing it as a mutex to hinder concurrent instances on the host system. The file and web browser names are stored in an encoded format, which is dynamically decoded during the malware’s execution.
Furthermore, the cached web browser data was stored in the file path C:\Users\Public\results.zip. Subsequently, this file was transmitted to Slack channels controlled by the attacker using the files.upload API method.
To exfiltrate data, the attackers utilised Slack channels. They named each Slack channel ‘FlightNight’ to strategically use legitimate communication platforms. Using legitimate platforms allowed the threat actors to upload a vast amount of stolen data, including several confidential documents, private email chats, and cached web browser data.
The 8.81 GB of exfiltrated data comprised a wide range of sensitive information, such as financial documents, employee details, and operational data related to oil and gas.
The researchers identified behavioural similarities between Operation FlightNight and a previously reported attack in January. These similarities strongly indicate a connection between these two incidents, leading the researchers to conclude that the motive behind the attack was cyber espionage
The threat actor’s utilisation of a modified version of HackBrowserData showcased their ability to enhance open-source tools with new functionalities, such as communication through Slack channels, document stealing capabilities, and evasion techniques.
ElecticIQ researchers collaborated with Indian authorities to share intelligence and assist in victim identification. Additionally, the researchers advised organisations to implement security measures such as disabling password caching and auto-completion of usernames in web browsers, enabling two-factor authentication, monitoring ISO mounting events, and detecting anomalous network traffic to unknown Slack channels.
In the News: Israel expands its facial recognition surveillance tech in Gaza