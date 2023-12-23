Indian government organizations and India's defense sector they were targeted from a phishing campaign designed to spread information-gathering Rust-based malware, an operation that takes the name of RusticWeb.

What is known about the RusticWeb operation

The business, first detected in October 2023was named Operation RusticWeb by enterprise security firm SEQRITE.

“New Rust-based payloads and encrypted PowerShell commands were used to exfiltrate confidential documents on a web-based service engine, rather than on a dedicated control server (C2) [comando-e-controllo]“, has declared security researcher Sathwik Ram Prakki.

Tactical overlaps have emerged between this cluster and those widely tracked under the names of Transparent Tribe and SideCopy, both believed to be linked to Pakistan.

SideCopy is also a suspected subordinate element within Transparent Tribe; last month (November 2023, then), SEQRITE released detailed information on multiple campaigns undertaken by the threatening group targeting Indian government bodies to deliver numerous trojans such as AllaKore RAT, Ares RAT and DRat.

Other recent attack chains documented by ThreatMon they used counterfeit PowerPoint files by Microsoft and specially created RAR archives susceptible to the named CVE vulnerability CVE-2023-38831 for the distribution of malware (RusticWeb, in fact), allowing unlimited remote access and control (i.e. with administrator privileges).

“The APT SideCopy group infection chain involves several stages, each carefully orchestrated to ensure a successful compromise“, has made known ThreatMon earlier this year.

The last set of attacks starts with a phishing emailleveraging social engineering techniques to trick victims into interacting with malicious PDF files that spread Rust-based payloads to enumerate the file system in the background while displaying the decoy file to the victim.

In addition to accumulating files of interest, the malware is able to collect system information and transmit it to the C2 server, but it lacks the features of other advanced malware available in the online criminal underground.

A second infection chain identified by SEQRITE in December uses a similar multi-step process, but replaces malware created with the Rust programming language with a PowerShell script that manages the enumeration and exfiltration phases of sensitive data.

But in an interesting twist, the last stage payload is launched via a Rust executable called “Cisco AnyConnect Web Helper”; the information collected is finally uploaded to the oshi domain[.]at, an anonymous public file sharing engine called OshiUpload.

“Operation RusticWeb may be linked to a threat APT as it shares similarities with various Pakistan-linked groups“said Ram Prakki.

The disclosure comes nearly two months after Cyble discovered a malicious Android application used by the DoNot hacker team which targets individuals and organizations in the Kashmir region of India.

The nation-state actor, also known by the names APT-C-35, Origami Elephant and SECTOR02, is believed to be of Indian origin and has a history of use of Android malware For infect devices belonging to people residing in Kashmir and Pakistan.

The variant examined by Cyble is a trojanized version of an open source GitHub project called “QuranApp: Read and Explore” which comes with a wide range of spyware features to record audio and VoIP callstake screenshots, collect data from various apps, download additional APK files, and track the victim's location.

“The DoNot group's tireless efforts in perfecting their tools and techniques underline the ongoing threat they pose, particularly in their targeting of individuals in India's sensitive Kashmir region“, Cyble finally declared.