(The original research document and cover image source is here)

On 23 September 2021, TALOS, CISCO's Cyber Security Research team published blog revealing Indian government Officials and Defence Officials were under Cyber attack at least since end 2020. The attack was primarily on the users of "kawach", a two factor authentication tool by National Informatics Centre (NIC).

Unlike standard approach of spywares and Advanced Persistent Threats (ATPs), the motivated actors used off-the-shelf Remote Access Trojans (RATs). In phishing attack, the victim are lured to open malicious Microsoft word document (maldoc). The heading of such maldocs are what could be military interest such as something to with Chinese or Pakistan forces. Or, as guides related to Indian governmental infrastructure and operations. Some file names used are:

• KAVACH-INSTALLATION-VER-1.docm

• Security-Updates.docm

• Online meeting schedule for OPS.doc

• schedule2021.docm

One of the screenshot of phishing email is

(Image source : Security Affairs)

The malicious campaign targeting government employees and military personnel in the Indian subcontinent with two commercial and commodity RAT families known as NetwireRAT (aka NetwireRC) and WarzoneRAT (aka Ave Maria). Throughout March and April 2021, the attackers utilized downloaders to download and execute the RAT payloads from remote locations. In some cases, it was also discovered the deployment of custom .NET-based file enumerator modules that generate and exfiltrate file path listings of specific file extensions on the infected systems. Toward the beginning of June 2021, the attackers started experimenting with the use of Pastebin as a payload-hosting platform. In March 2021 Talos estimated that the attackers were using Oblique RAT and Crimison RAT. However their latest report indicates use of Netwire RAT and WarzoneRAT

Netwire is a highly versatile RAT consisting of multiple capabilities including:

• Stealing credentials from browsers.

• Execute arbitrary commands.

• Gather system information.

• File management operations such as write, read, copy, delete files, etc.

• Enumerate, terminate processes.

• Keylogging.

WarzoneRAT is functionalities including:

• Remote desktop.

• Webcam capture

• Microphone capture

• Credential stealing from browsers and email clients.

• File management operations such as write, read, copy, delete files etc.

• Execute arbitrary commands.

• Keylogging.

• Reverse shells.

• Enumerate, terminate processes.

There are other surveillance tools are also used.

The threat actor is suspected to be Pakistani Transparent Tribe APT 36 group.

Transparent Tribe has been active since at least 2013, it targeted entities across 27 countries, most of them in Afghanistan, Germany, India, Iran, and Pakistan..The Operation Transparent Tribe (Operation C-Major, APT36, and Mythic Leopard) was first spotted by Proofpoint Researchers in Feb 2016, in a series of cyber espionage operations against Indian diplomats and military personnel in some embassies in Saudi Arabia and Kazakhstan. At that time, the researchers tracked the sources IP in Pakistan, the attacks were part of a wider operation that relies on multi-vector such as watering hole websites and phishing email campaigns delivering custom RATs dubbed Crimson and Peppy. These RATs are capable of exfiltrate information, take screenshot, and record webcam streams.

During previous attacks, the group used fake domains for the 7th Central Pay Commission (7CPC) of India and an Indian think tank called Center For Land Warfare Studies (CLAWS). This technique is called waterhole attack. (source : Security Affairs)

This Blog may be updated (last update: 2330 hrs 24 Sept 2021)