Apr 01, 2024NewsroomCryptocurrency / Financial Fraud

The Indian government said it has rescued and repatriated about 250 citizens in Cambodia who were held captive and coerced into running cyber scams.

The Indian nationals “were lured with employment opportunities to that country but were forced to undertake illegal cyber work,” the Ministry of External Affairs (MEA) said in a statement, adding it had rescued 75 people in the past three months.

It also said it’s working with “with Cambodian authorities and with agencies in India to crack down on those responsible for these fraudulent schemes.”

The development comes in the wake of a report from the Indian Express that said more than 5,000 Indians stuck in Cambodia were forced into “cyber slavery” by organized crime rackets to scam people in India and extort money by masquerading as law enforcement authorities in some cases.

The report also tracks with an earlier disclosure from INTERPOL, which characterized the situation as human trafficking-fuelled fraud on an industrial scale.

This included an accountant from the state of Telangana, who was “lured to Southeast Asia where he was forced to participate in online fraud schemes in inhuman conditions.” He was subsequently let go after paying a ransom.

In another instance highlighted by the Indian Express, one of the rescued men was recruited by an agent from the south Indian city of Mangaluru for a data entry job, only to be asked to create fake social media accounts with photographs of women and use them to contact people.

“We had targets and if we didn’t meet those, they would not give us food or allow us into our rooms,” the individual, identified only as Stephen, was quoted as saying.

China and the Philippines have undertaken similar efforts to free hundreds of Filipinos, Chinese, and other foreign nationals who were entrapped and forced into criminal activity, running what’s called pig butchering scams.

These schemes typically start with the scammer adopting a bogus identity to lure prospective victims into investing in non-existing crypto businesses that are designed to steal their funds. The fraudsters are known to gain their target’s trust under the illusion of a romantic relationship.

In a report published in February 2024, Chainalysis said the cryptocurrency wallets associated with one of the pig butchering gangs operating out of Myanmar has recorded close to $100 million in crypto inflows, some of which is also estimated to include the ransom payments made by the families of trafficked workers.

“The brutal conditions trafficking victims face on the compounds also lend additional urgency to solving the problem of romance scamming — not only are consumers being bilked out of hundreds of millions of dollars each year, but the gangs behind those scams are also perpetuating a humanitarian crisis,” the blockchain analytics firm said.

News of the rescue efforts also follow research from Check Point that threat actors are exploiting a function in Ethereum called CREATE2 to bypass security measures and gain unauthorized access to funds. Details of the scam were previously disclosed by Scam Sniffer in November 2023.

The crux of the technique is the use of CREATE2 to generate a new “temporary” wallet address that has no history of being reported for criminal activity, thus allowing threat actors to make the illicit transactions to the address once the victim approves the contract and circumvent protections that flag such addresses.

“The attack method involves tricking users into approving transactions for smart contracts that haven’t been deployed yet, allowing cyber criminals to later deploy malicious contracts and steal cryptocurrencies,” the Israeli company said.

Mar 27, 2024NewsroomCyber Espionage / Data Breach

Indian government entities and energy companies have been targeted by unknown threat actors with an aim to deliver a modified version of an open-source information stealer malware called HackBrowserData and exfiltrate sensitive information in some cases by using Slack as command-and-control (C2).

“The information stealer was delivered via a phishing email, masquerading as an invitation letter from the Indian Air Force,” EclecticIQ researcher Arda Büyükkaya said in a report published today.

“The attacker utilized Slack channels as exfiltration points to upload confidential internal documents, private email messages, and cached web browser data after the malware’s execution.”

The campaign, observed by the Dutch cybersecurity firm beginning March 7, 2024, has been codenamed Operation FlightNight in reference to the Slack channels operated by the adversary.

Targets of the malicious activity span multiple government entities in India, counting those related to electronic communications, IT governance, and national defense.

The threat actor is said to have successfully compromised private energy companies, harvesting financial documents, personal details of employees, details about drilling activities in oil and gas. In all, about 8.81 GB of data has been exfiltrated over the course of the campaign.

The attack chain starts with a phishing message containing an ISO file (“invite.iso”), which, in turn, contains a Windows shortcut (LNK) that triggers the execution of a hidden binary (“scholar.exe”) present within the mounted optical disk image.

Simultaneously, a lure PDF file that purports to be an invitation letter from the Indian Air Force is displayed to the victim while the malware clandestinely harvests documents and cached web browser data and transmits them to an actor-controlled Slack channel named FlightNight.

The malware is an altered version of HackBrowserData that goes beyond its browser data theft features to incorporate capabilities to siphon documents (Microsoft Office, PDFs, and SQL database files), communicate over Slack, and better evade detection using obfuscation techniques.

It’s suspected that the threat actor stole the decoy PDF during a previous intrusion, with behavioral similarities traced back to a phishing campaign targeting the Indian Air Force with a Go-based stealer called GoStealer.

Details of the activity were disclosed by an Indian security researcher who goes by the alias xelemental (@ElementalX2) in mid-January 2024.

The GoStealer infection sequence is virtually identical to that FlightNight, employing procurement-themed lures (“SU-30 Aircraft Procurement.iso”) to display a decoy file while the stealer payload is deployed to exfiltrate information of interest over Slack.

By adapting freely available offensive tools and repurposing legitimate infrastructure such as Slack that’s prevalent in enterprise environments, it allows threat actors to reduce time and development costs, as well as easily fly under the radar.

Image source: ElementalX2

The efficiency benefits also mean that it’s that much easier to launch a targeted attack, even allowing less-skilled and aspiring cybercriminals to spring into action and inflict significant damage to organizations.

“Operation FlightNight and the GoStealer campaign highlight a simple yet effective approach by threat actors to use open-source tools for cyber espionage,” Büyükkaya said.

“This underscores the evolving landscape of cyber threats, wherein actors abuse widely used open-source offensive tools and platforms to achieve their objectives with minimal risk of detection and investment.”

Feb 29, 2024NewsroomCyber Espionage / Malware

A previously undocumented threat actor dubbed SPIKEDWINE has been observed targeting officials in European countries with Indian diplomatic missions using a new backdoor called WINELOADER.

The adversary, according to a report from Zscaler ThreatLabz, used a PDF file in emails that purported to come from the Ambassador of India, inviting diplomatic staff to a wine-tasting event on February 2, 2024.

The PDF document was uploaded to VirusTotal from Latvia on January 30, 2024. That said, there is evidence to suggest that this campaign may have been active at least since July 6, 2023, going by the discovery of another similar PDF file uploaded from the same country.

“The attack is characterized by its very low volume and the advanced tactics, techniques, and procedures (TTPs) employed in the malware and command-and-control (C2) infrastructure,” security researchers Sudeep Singh and Roy Tay said.

Central to the novel attack is the PDF file that comes embedded with a malicious link that masquerades as a questionnaire, urging the recipients to fill it out in order to participate. Clicking on the link paves the way for an HTML application (“wine.hta”) that contains obfuscated JavaScript code to retrieve an encoded ZIP archive bearing WINELOADER from the same domain.

The malware is packed with a core module that’s designed to Execute modules from the C2 server, inject itself into another dynamic-link library (DLL), and update the sleep interval between beacon requests.

A notable aspect of the cyber incursions is the use of compromised websites for C2 and hosting intermediate payloads. It’s suspected that the “C2 server only responds to specific types of requests at certain times,” thereby making the attacks more evasive.

“The threat actor put additional effort into remaining undetected by evading memory forensics and automated URL scanning solutions,” the researchers said.

Dec 22, 2023NewsroomMalware / Cyber Threat

Indian government entities and the defense sector have been targeted by a phishing campaign that’s engineered to drop Rust-based malware for intelligence gathering.

The activity, first detected in October 2023, has been codenamed Operation RusticWeb by enterprise security firm SEQRITE.

“New Rust-based payloads and encrypted PowerShell commands have been utilized to exfiltrate confidential documents to a web-based service engine, instead of a dedicated command-and-control (C2) server,” security researcher Sathwik Ram Prakki said.

Tactical overlaps have been uncovered between the cluster and those widely tracked under the monikers Transparent Tribe and SideCopy, both of which are assessed to be linked to Pakistan.

SideCopy is also a suspected subordinate element within Transparent Tribe. Last month, SEQRITE detailed multiple campaigns undertaken by the threat actor targeting Indian government bodies to deliver numerous trojans such as AllaKore RAT, Ares RAT, and DRat.

Other recent attack chains documented by ThreatMon have employed decoy Microsoft PowerPoint files as well as specially crafted RAR archives susceptible to CVE-2023-38831 for malware delivery, enabling unbridled remote access and control.

“The SideCopy APT Group’s infection chain involves multiple steps, each carefully orchestrated to ensure successful compromise,” ThreatMon noted earlier this year.

The latest set of attacks commences with a phishing email, leveraging social engineering techniques to trick victims into interacting with malicious PDF files that drop Rust-based payloads for enumerating the file system in the background while displaying the decoy file to the victim.

Besides amassing files of interest, the malware is equipped to collect system information and transmit them to the C2 server but lacks the features of other advanced stealer malware available in the cybercrime underground.

A second infection chain identified by SEQRITE in December employs a similar multi-stage process but substitutes the Rust malware with a PowerShell script that takes care of the enumeration and exfiltration steps.

But in an interesting twist, the final-stage payload is launched via a Rust executable that goes by the name “Cisco AnyConnect Web Helper.” The gathered information is ultimately uploaded to oshi[.]at domain, an anonymous public file-sharing engine called OshiUpload.

“Operation RusticWeb could be linked to an APT threat as it shares similarities with various Pakistan-linked groups,” Ram Prakki said.

The disclosure comes nearly two months after Cyble uncovered a malicious Android app utilized by the DoNot Team targeting individuals in the Kashmir region of India.

The nation-state actor, also known by the names APT-C-35, Origami Elephant, and SECTOR02, is believed to be of Indian origin and has a history of utilizing Android malware to infiltrate devices belonging to people in Kashmir and Pakistan.

The variant examined by Cyble is a trojanized version of an open-source GitHub project called “QuranApp: Read and Explore” that comes fitted with a wide range of spyware features to record audio and VoIP calls, capture screenshots, gather data from various apps, download additional APK files, and track the victim’s location.

“The DoNot group’s relentless efforts to refine their tools and techniques underscore the ongoing threat they pose, particularly in their targeting of individuals in the sensitive Kashmir region of India,” Cyble said.