Brother
Professional
- Messages
- 2,590
- Reaction score
- 534
- Points
- 113
Hackers use the latest techniques to steal sensitive data.
Indian government agencies and the defense industry have been targeted by a hacker attack that uses phishing and Rust-based malware for intelligence. The campaign, discovered in October 2023 and called Operation RusticWeb, was identified by the information security company SEQRITE.
According to the SEQRITE report, new Rust-based payloads and encrypted PowerShell commands were used to steal confidential documents. They transmit the collected information not to the traditional Command and Control server (C2), but to a web service.
The analysis revealed tactical links between the detected campaign and the activities of the groups Transparent Tribe and SideCopy, allegedly linked to Pakistan. According to SEQRITE, SideCopy may be subordinate to the Transparent Tribe. The group's latest campaign against Indian government agencies used AllaKore RAT, Ares RAT and DRat Trojans.
ThreatMon noted that recent attacks included the use of fake PowerPoint files and specially prepared RAR archives vulnerable to CVE-2023-38831, which allowed attackers to gain full remote access and control over the device.
The SideCopy APT Group infection chain includes several stages, each of which is carefully organized to ensure successful hacking. The latest set of attacks begins with a phishing email that uses social engineering techniques to trick victims into interacting with a malicious PDF file that delivers useful Rust-based data to scan the file system, while the victims are shown a fake document.
The virus collects files and information about the system, sending them to the C2 server. However, according to experts, the malware does not have the functionality of more advanced malware available in the cybercrime market.
Another infection chain discovered by SEQRITE in December is also multi-stage, but it replaces the Rust virus with a PowerShell script. At the end of the infection chain, a Rust executable file called "Cisco AnyConnect Web Helper"is used. The collected data is sent to the domain "oshi[.]at", the OshiUpload public file service.
Indian government agencies and the defense industry have been targeted by a hacker attack that uses phishing and Rust-based malware for intelligence. The campaign, discovered in October 2023 and called Operation RusticWeb, was identified by the information security company SEQRITE.
According to the SEQRITE report, new Rust-based payloads and encrypted PowerShell commands were used to steal confidential documents. They transmit the collected information not to the traditional Command and Control server (C2), but to a web service.
The analysis revealed tactical links between the detected campaign and the activities of the groups Transparent Tribe and SideCopy, allegedly linked to Pakistan. According to SEQRITE, SideCopy may be subordinate to the Transparent Tribe. The group's latest campaign against Indian government agencies used AllaKore RAT, Ares RAT and DRat Trojans.
ThreatMon noted that recent attacks included the use of fake PowerPoint files and specially prepared RAR archives vulnerable to CVE-2023-38831, which allowed attackers to gain full remote access and control over the device.
The SideCopy APT Group infection chain includes several stages, each of which is carefully organized to ensure successful hacking. The latest set of attacks begins with a phishing email that uses social engineering techniques to trick victims into interacting with a malicious PDF file that delivers useful Rust-based data to scan the file system, while the victims are shown a fake document.
The virus collects files and information about the system, sending them to the C2 server. However, according to experts, the malware does not have the functionality of more advanced malware available in the cybercrime market.
Another infection chain discovered by SEQRITE in December is also multi-stage, but it replaces the Rust virus with a PowerShell script. At the end of the infection chain, a Rust executable file called "Cisco AnyConnect Web Helper"is used. The collected data is sent to the domain "oshi[.]at", the OshiUpload public file service.
