Indian government personnel and entities in the defense sector have been targeted by a phishing ca [2]mpaign called Operation RusticWeb [2] [3] [4] [5] [6]. This campaign, attributed to the Pakistani threat group SideCopy [6], utilizes Rust-based malware for intelligence gathering [2] [4] [5] [6].
Description
Operation RusticWeb [2] [3] [4] [5] [6], uncovered by SEQRITE Labs APT-Team in October 2023 [1], is a phishing campaign that specifically targets Indian government personnel and entities in the defense sector. The campaign is attributed to the Pakistani threat group SideCopy [6]. The attackers employ Rust-based malware for intelligence gathering purposes. Recently, they have incorporated new Rust-based payloads and encrypted PowerShell commands for document exfiltration. Instead of using a dedicated command-and-control server [1] [2], the attackers now upload the information to a web-based service engine.
The campaign shares tactical similarities with Transparent Tribe and SideCopy [2] [5], both of which are believed to have connections to Pakistan [5]. In addition to Rust malware, the threat actor has also employed a PowerShell script in a separate infection chain identified in December. The final-stage payload is launched through a Rust executable named “Cisco AnyConnect Web Helper.”
Furthermore, the DoNot Team [2], believed to be of Indian origin [2], has targeted individuals in the Kashmir region of India using a trojanized Android app called “QuranApp: Read and Explore” with spyware features [2]. Previous campaigns by the threat actor [5], as detailed by enterprise security firm SEQRITE, have involved trojans such as AllaKore RAT, Ares RAT [5], and DRat [5].
The phishing campaign overlaps with Pakistan-linked APT groups Transparent Tribe (APT36) and SideCopy [3], and also exhibits similarities with Operation Armor Piercer [3]. Threat actors are using newer languages like Golang [3], Rust [2] [3], and Nim to make detection more difficult [3]. Ransomware operators have migrated from Golang to Rust for its high-performance encryption and evasion speed [3].
Conclusion
The phishing campaign Operation RusticWeb [2] [3] [4] [5] [6], conducted by the Pakistani threat group SideCopy [6], poses a significant threat to Indian government personnel and entities in the defense sector. The incorporation of new Rust-based payloads and encrypted PowerShell commands for document exfiltration demonstrates the evolving tactics of the attackers. The use of a web-based service engine instead of a dedicated command-and-control server further complicates detection and mitigation efforts.
The involvement of the DoNot Team, believed to be of Indian origin [2], in targeting individuals in the Kashmir region using a trojanized Android app highlights the complexity of the threat landscape. The overlap with other Pakistan-linked APT groups and the adoption of newer languages like Golang, Rust [2] [3], and Nim by threat actors further underscores the need for enhanced cybersecurity measures.
As ransomware operators migrate from Golang to Rust for its high-performance encryption and evasion speed [3], it becomes crucial for organizations to stay vigilant and adapt their defenses accordingly. The implications of this phishing campaign extend beyond the immediate targets, emphasizing the importance of proactive measures to safeguard critical information and infrastructure.
References
[1] https://allinfosecnews.com/item/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration-2023-12-21/
[2] https://thehackernews.com/2023/12/operation-rusticweb-rust-based-malware.html
[3] https://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/
[4] https://www.linkedin.com/posts/wdevault_operation-rusticweb-rust-based-malware-targets-activity-7143961119232000000-eVkF
[5] https://owasp.or.id/2023/12/22/rust-based-malware-targets-indian-government-entities/
[6] https://healsecurity.com/rust-based-malware-targets-indian-government-entities/
