Cisco Talos recently discovered a malicious campaign targeting government employees and military personnel in India with two commercial and commodity RAT families known as NetwireRAT (aka NetwireRC) and WarzoneRAT (aka Ave Maria).
In a recent blog post, Cisco Talos has published its findings on how Armor Piercer distributes malicious documents to deliver Remote Access Trojans (RATs) and gain access to highly confidential information related to government and defence agencies.
The lures used in this campaign are predominantly around operational documents pertaining to “Kavach”, a two-factor authentication (2FA) app operated by India’s National Informatics Centre (NIC) and used by government employees to access their emails. It utilizes compromised websites and fake domains to host malicious payloads, another tactic similar to Transparent Tribe.
The earliest instance of this campaign was observed in December 2020, utilizing malicious MS Office documents, known as maldocs, disguised as security advisories, meeting schedules, software installation guides, etc.
As with all advanced threats that are rapidly becoming more sophisticated, this campaign was found to be using multiple techniques and evolved to obfuscate itself and remain in the victim’s environment, evading standard detection techniques – it continues to operate even today.
Armour Piercer illustrates another instance of a highly motivated threat actor using a set of RAT families to infect their victims. These RATs are packed with many out-of-the-box features to gain complete control over the infected systems. The use of RATs makes it challenging to track down the threat actors behind it. In addition, since July 2021, Talos researchers have observed the deployment of file enumerators alongside RATs, indicating that the attackers are expanding their arsenal to target their victims.
This is just one example of the rapidly expanding threat landscape that is simultaneously becoming far more complex. In response, every company across sectors is rethinking their cybersecurity posture.
Commenting on how organizations can strengthen their threat detection and response, Vishak Raman, Director, Security Business, Cisco India and SAARC, shares, “Operation Armor Piercer is a grim reminder of the vulnerabilities still existing in our cybersecurity posture. To ensure end-to-end security of India’s most precious assets and information, government and defence agencies must implement a layered defence strategy that enables comprehensive visibility and coverage across all endpoints, accelerates response by leveraging automation and orchestration to enrich data, and reduces massive data sets into actionable insights through AI/ML and data analytics. Essentially, security must not be bolted on, rather built into every system and process to ensure infallible protection of people and assets.”