A sophisticated phishing campaign targeting Indian government entities and the defense sector has been uncovered, marking the initiation of what enterprise security firm SEQRITE has named “Operation RusticWeb.” The campaign, first identified in October 2023, involves the deployment of Rust-based malware designed for intelligence gathering.
According to security researcher Sathwik Ram Prakki, the attackers employ new Rust-based payloads and encrypted PowerShell commands. Notably, these malicious payloads exfiltrate confidential documents to a web-based service engine instead of a dedicated command-and-control (C2) server, adding a layer of complexity to their tactics.
Tactical connections have been identified between this cluster and threat actors known as Transparent Tribe and SideCopy, both assessed to be linked to Pakistan. SEQRITE had previously detailed campaigns by SideCopy targeting Indian government bodies, delivering trojans like AllaKore RAT, Ares RAT, and DRat.
The phishing emails in this Operation RusticWeb campaign leverage social engineering techniques to trick victims into interacting with malicious PDF files. These files drop Rust-based payloads that operate in the background to enumerate the file system while displaying a decoy file to the victim. The malware, while capable of amassing files of interest and collecting system information, lacks some of the advanced features seen in other cybercrime underground stealer malware.
In a different infection chain identified in December, a similar multi-stage process is employed, but this time the Rust malware is replaced with a PowerShell script. The final-stage payload, interestingly, is launched through a Rust executable named “Cisco AnyConnect Web Helper,” with the gathered information uploaded to the oshi[.]at domain, an anonymous public file-sharing engine known as OshiUpload.
Ram Prakki suggests that “Operation RusticWeb could be linked to an APT threat as it shares similarities with various Pakistan-linked groups.” This revelation comes in the wake of Cyble’s discovery of a malicious Android app used by the DoNot Team, believed to be of Indian origin, targeting individuals in the Kashmir region.
The DoNot Group, also known as APT-C-35, Origami Elephant, and SECTOR02, has a history of using Android malware for infiltration. The trojanized version of an open-source GitHub project, named “QuranApp: Read and Explore,” discovered by Cyble, possesses spyware features to record audio and VoIP calls, capture screenshots, gather data from various apps, download additional APK files, and track the victim’s location.
Cyble emphasizes the ongoing threat posed by the DoNot group’s continuous efforts to refine their tools and techniques, particularly in their targeting of individuals in the sensitive Kashmir region of India.