- A RAT that used political and government entities as a facade to target Indian and Afghan organizations was discovered.
- It is using a custom enumerator and infector to conduct reconnaissance at the start of their attack campaigns.
- The agent’s actions seem to indicate they are a single individual using a paper-only company to conduct a crimeware campaign.
A threat actor using malicious political- and government-themed websites to target Afghanistan and India. The activities are perpetrated via malicious RTF documents for delivering a number of commodity malware to target systems. They are usually exploiting a Microsoft Office CVE-2017-11882 stack overflow vulnerability which allows for arbitrary code execution.
They usually run their campaign in four phases:
- A recon stage focussed on a custom file enumerator and infector to target systems. During this phase the infector corrupts all on-drive Office documents including .docx, .xlsx, .xls, .doc, .ppt, .pptx, .pdf, .xlt, .xla, .xll, .pps, .pot and .inp etc. This phase also infects the PowerShell directory of the target drive.
- A second stage deploys several malware executables RATs like DcRAT and QuasarRAT.
- The third phase of the process loads a shortcut in the target device’s startup directory followed by a C# code converted into an executable assembly for further malicious code infiltration.
- The fourth and final phase compiled C# code which offers a file enumerator and file infector modules executables. These work together to direct malicious OLE code to files for further exploitation.
The actor registered several malicious domains focusing on political and government themes and used them to distribute malware by delivering payloads to targeted devices and systems. These malware datasets contained information of organizations operating in Afghanistan, particularly relating to diplomatic and humanitarian efforts.
More specifically, they are using malicious RTF documents and PowerShell scripts chain to send out malware to target systems and C#-based downloader binaries for sending out this malware using decoy images to mask their actual code scripts. Experts say the actions indicate that all these activities are orchestrated by one single individual. They are using the cover of a Pakistani IT firm named "Bunse Technologies."
This actor is a perfect example of individual agents using political and humanitarian fronts to ensnare victims via commodity malware. In this particular case, commodity RAT families are the attacking malware of choice for infecting targets. The RATs offer multiple function options which facilitate exerting total control over remote devices.
This process persists from the initial recon tasks to any other command executions on remote devices along with system-wide data exfiltration. RAT and similar malware bundles serve as very useful platforms for initiating attacks against targets over any network.
Moreover, these directly available features allow for prompt attack launches without needing elaborate configuration. With the use of custom file enumerator and infector modules along with immediate launch capabilities, attackers can even pursue infecting benign and trusted documents for even more widespread infection.
Prefabricated and compiled commodity malware has been growing in popularity for some time now. It offers a lot of uptime thanks to its ready-to-redeploy malware-delivering mechanisms. They also provide streamlined infection chains with fairly hard-to-detect entry points, which grants them a potentially high success rate. Organizations have to maintain a strict vulnerability coverage protocol which mainly involves ensuring all software is up-to-date to minimize gaps in device security to deter possible attacks from these highly motivated mechanisms.
A previously unknown hacker group called Harvester that seems nation-state-backed was discovered recently, and it's as well targeting South Asia in its espionage activities, with a focus on Afghanistan.