A highly sophisticated cyber-espionage campaign by a Russian-speaking group, dubbed Operation ShadowCat, is utilising deceptive shortcut (.LNK) files to initiate a multi-stage attack sequence, with an ultimate goal to deploy a Remote Access Trojan (RAT) to target Indian political observers.
The current attack follows a similar pattern observed by researchers in 2023. It begins with spam emails that distribute a seemingly innocuous shortcut file named ‘Untitled Document.LNK’. This file, disguised as a Word document, contains embedded malicious content that triggers when executed.
Researchers observed that upon opening the .LNK file, a PowerShell command is executed, which drops a .NET loader file and a decoy Word document onto the victim’s machine.
The PowerShell script first checks the victim’s geographic location using the ‘Get-WinHomeLocation’ command. If the GeoID matches specified values, the script terminates, excluding certain regions from the attack.
Once the target region is located, the script de-obfuscates an array of strings, including base4-encoded data, PowerShell commands and URLs essential for the infection chain.
After that, the script deletes the original LNK file, creates, and opens a decoy document, which appears to be a question submitted to the Indian parliament. This suggests the attackers are targeting individuals interested in Indian political affairs, such as government officials, political analysts, and journalists.
The image harbours a Gzip-compressed payload that is decompressed and injected into the PowerShell.exe process, all while avoiding detection by traditional security products.
The attack employs a Command and Control (C&C) server located at ‘use1.netcatgroup.site,’ utilising a custom ‘NetCat’ subprotocol for WebSocket communication.
This PowerShell script when activates methods in the .NET file designed to retrieve a steganographic PNG image from a remote server. The image is embedded with malicious content using steganography and is then decompressed to reveal shellcode and an MZ header.
This shellcode is executed using Asynchronous Procedure Call (APC) injection, ultimately loading and executing the embedded binary.
The final payload, a RAT written in the Go programming language, grants attackers extensive control over the infected system. This includes capabilities for file and directory manipulation, command execution, and interactive communication with the C&C server.
“Upon successful infection, this RAT can enable ransomware activities, stage environments for payload deployment, gather detailed system information, perform network scanning, and upload sensitive data from the victim’s machine,” researchers noted. “It also uses tools for Active Directory mapping and credential extraction, facilitating advanced lateral movement and attack strategies. The figure below shows an overview of the infection.”
Despite the sophisticated nature of the attack, researchers have not yet attributed the activity to a specific threat actor or Advanced Persistent Threat (APT) group. However, the operational patterns and evidence suggest the involvement of a financially motivated, Russian-speaking group or RaaS entity.
India, with a huge population of about 140 crore or 1.4 billion people, has been under constant attacks from multiple entities. Recently, Smishing Triad hit Indian users with India Post scams.
Another scam targeting Indian users via RTO phishing was also observed in July. To counter these scam operations, the Department of Telecommunications (DOT) blocked 1.92 crore or about 20 million SIM cards in India.
Last month, reports emerged that Pakistani threat actors are using Discord emojis to target Indian government agencies. Another Pakistani threat actor, Cosmic Leopard, was found to target Indian Android, Windows, and Mac users, in an operation dubbed ‘Operation Celestial Force.’
In the News: Meta purges 63,000 Nigerian accounts involved in sextortion