A brand new focused phishing marketing campaign has zoomed in on a two-factor authentication answer referred to as Kavach that is utilized by Indian authorities officers.
Cybersecurity agency Securonix dubbed the exercise STEPPY#KAVACH, attributing it to a menace actor referred to as SideCopy primarily based on tactical overlaps with prior assaults.
“.LNK information are used to provoke code execution which ultimately downloads and runs a malicious C# payload, which capabilities as a distant entry trojan (RAT),” Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov mentioned in a brand new report.
SideCopy, a hacking crew believed to be of Pakistani origin and energetic since no less than 2019, is alleged to share ties with one other actor referred to as Transparent Tribe (aka APT36 or Mythic Leopard).
It’s additionally recognized to impersonate assault chains leveraged by SideWinder, a prolific nation-state group that disproportionately singles out Pakistan-based army entities, to deploy its personal toolset.
That mentioned, this isn’t the primary time Kavach has emerged as a goal for the actor. In July 2021, Cisco Talos detailed an espionage operation that was undertaken to steal credentials from Indian authorities staff.
Kavach-themed decoy apps have since been co-opted by Transparent Tribe in its assaults concentrating on India because the begin of the yr.
The newest assault sequence noticed by Securonix over the previous couple of weeks entails utilizing phishing emails to lure potential victims into opening a shortcut file (.LNK) to execute a distant .HTA payload utilizing the mshta.exe Windows utility.
The HTML utility, the corporate mentioned, “was found being hosted on a possible compromised web site, nested inside an obscure ‘gallery’ listing designed to retailer a number of the website’s photographs.”
The compromised web site in query is incometaxdelhi[.]org, the official web site for India’s Income Tax division pertaining to the Delhi area. The malicious file is not accessible on the portal.
In the following section, operating the .HTA file results in the execution of obfuscated JavaScript code that is designed to point out a decoy picture file that options an announcement from the Indian Ministry of Defence a yr in the past in December 2021.
The JavaScript code additional downloads an executable from a distant server, establishes persistence by way of Windows Registry modifications, and reboots the machine to robotically launch the binary publish startup.
The binary file, for its half, capabilities as a backdoor that allows the menace actor to execute instructions despatched from an attacker-controlled area, fetch and run extra payloads, take screenshots, and exfiltrate information.
The exfiltration part additionally consists of an choice to particularly seek for a database file (“kavach.db”) created by the Kavach app on the system to retailer the credentials.
It’s price noting that the aforementioned an infection chain was disclosed by the MalwareHunterTeam in a sequence of tweets on December 8, 2022, describing the distant entry trojan as MargulasRAT.
“Based on correlated information from the binary samples obtained of the RAT utilized by the menace actors, this marketing campaign has been occurring towards Indian targets undetected for the final yr,” the researchers mentioned.