cyble.com
Open in
urlscan Pro
192.0.78.231
Public Scan
URL:
https://cyble.com/blog/cyber-espionage-attack-on-the-indian-air-force-go-based-infostealer-exploits-slack-for-data...
Submission: On January 18 via api from TR — Scanned from DE
Submission: On January 18 via api from TR — Scanned from DE
Form analysis 2 forms found in the DOM
GET https://cyble.com/
<form role="search" method="get" class="search-form" action="https://cyble.com/" data-cb-wrapper="true">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Search..." value="" name="s" tabindex="-1">
</label>
<input type="submit" class="search-submit" value="Search">
</form><form id="jp-carousel-comment-form" data-cb-wrapper="true">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>Text Content
Skip to content
Report an Incident | Get Support
* Home
* ProductsMenu Toggle
* For Enterprises(B2B) and GovernmentsMenu Toggle
* Cyble Vision
Secure your business from emerging threats and limit opportunities for
your adversaries.
* Cyble Hawk
Protects ultra sensitive data and assets.
* For Enterprises(B2B) and Individuals(B2C)Menu Toggle
* AmIBreached
Enables consumers and organizations to Identify, Prioritize and Mitigate
darkweb risks.
* Cyble Odin
Meet The All-Father of Internet Scanning
* The Cyber Express
#1 Trending Cyber Security News and Magazine
* We’ve just released an update!
CHECK OUT THE ALL NEW DASHBOARD VIEW ON CYBLE VISION.
* SolutionsMenu Toggle
* Function WiseMenu Toggle
* Attack Surface Management
* Brand Intelligence
* Cyber Threat Intelligence
* Dark Web Monitoring
* Vulnerability Management
* Takedown and Disruption
* Industry WiseMenu Toggle
* Financial Services
* Retail and CPG
* Healthcare & Pharmaceuticals
* Technology Industry
* Educational Platform
* Role WiseMenu Toggle
* Information Security
* Corporate Security
* Marketing
* ResourcesMenu Toggle
* Blog
* Knowledge Hub
* Case Studies
* Research Reports
* Whitepapers
* Thought Leadership
* SAMA Compliance
* Press
* Upcoming Events
* Careers
* PartnersMenu Toggle
* Cyble Partner Network (CPN)
* Partner Portal Login
* Become a Partner
* About Us
Talk to Sales
Schedule a Demo
Schedule a Demo
Our Annual Threat Landscape report is now available
Our Annual Threat Landscape report is now available
Main Menu
* Home
* ProductsMenu Toggle
* For Enterprises(B2B) and GovernmentsMenu Toggle
* Cyble Vision
Secure your business from emerging threats and limit opportunities for
your adversaries.
* Cyble Hawk
Protects ultra sensitive data and assets.
* For Enterprises(B2B) and Individuals(B2C)Menu Toggle
* AmIBreached
Enables consumers and organizations to Identify, Prioritize and Mitigate
darkweb risks.
* Cyble Odin
Meet The All-Father of Internet Scanning
* The Cyber Express
#1 Trending Cyber Security News and Magazine
* We’ve just released an update!
CHECK OUT THE ALL NEW DASHBOARD VIEW ON CYBLE VISION.
* SolutionsMenu Toggle
* Function WiseMenu Toggle
* Attack Surface Management
* Brand Intelligence
* Cyber Threat Intelligence
* Dark Web Monitoring
* Vulnerability Management
* Takedown and Disruption
* Industry WiseMenu Toggle
* Financial Services
* Retail and CPG
* Healthcare & Pharmaceuticals
* Technology Industry
* Educational Platform
* Role WiseMenu Toggle
* Information Security
* Corporate Security
* Marketing
* ResourcesMenu Toggle
* Blog
* Knowledge Hub
* Case Studies
* Research Reports
* Whitepapers
* Thought Leadership
* SAMA Compliance
* Press
* Upcoming Events
* Careers
* PartnersMenu Toggle
* Cyble Partner Network (CPN)
* Partner Portal Login
* Become a Partner
* About Us
January 17, 2024
CYBER ESPIONAGE ATTACK ON THE INDIAN AIR FORCE: GO-BASED INFOSTEALER EXPLOITS
SLACK FOR DATA THEFT
KEY TAKEAWAYS
* Cyble Research and Intelligence Labs (CRIL) identified a Go Stealer variant
potentially targeting the Indian Air Force.
* The malware payload is distributed through a ZIP file named
“SU-30_Aircraft_Procurement,” which is hosted on Oshi, an anonymous file
storage.
* In September 2023, the Indian Defense Ministry approved the procurement of 12
Su-30 MKI fighter jets as part of its ongoing defense modernization efforts.
* The Threat Actor (TA) appears to be exploiting this event to target Indian
Air Force professionals.
* The sequence of infection in the attack involves a progression from a zip
file to an ISO file, followed by a .lnk file, ultimately leading to the
deployment of a stealer payload.
* This stealer is a variant of a Go Stealer present on GitHub. However, it
includes additional features like targeting more browsers and data
exfiltration using Slack. Unlike other stealers that target a variety of
applications, this stealer focuses specifically on harvesting login
credentials and cookies from four browsers.
* Attributing this campaign to a specific Threat Actor (TA) or group is
challenging due to the limited information available at the moment.
OVERVIEW
CRIL has uncovered a Go Stealer possibly targeting the Indian Air Force. This
malware is propagated through a ZIP file named “SU-30_Aircraft_Procurement”. The
ZIP file is hosted on Oshi (hxxps://oshi[.]at/ougg), an anonymous file storage
platform and the Threat Actor (TA) could potentially be distributing this link
via spam email or similar channels.
It is worth noting that in September 2023, the Indian defense ministry approved
a project to acquire 12 Su-30 MKI fighter jets. The Threat Actor (TA) seems to
be leveraging this notification as a means to create bait to target
professionals within the Indian Air Force. The Threat Actor (TA) behind this
attack is currently unknown due to the limited availability of information. The
attack unfolds in a sequence involving a ZIP file, an .iso file, a .lnk file,
and, ultimately, the deployment of the stealer payload. The figure below shows
the infection chain.
Figure 1 – Infection Chain
Technical Content! Subscribe to Unlock
Sign up and get access to Cyble Research and Intelligence Labs' exclusive
contents
Email
Unlock this Content
This stealer has been identified as a variant of a Go Stealer that is available
on GitHub, which distinguishes itself by incorporating additional
functionalities. These include an expanded capacity to target multiple browsers
and the capability for data exfiltration via Slack. This technique is not new,
as it was also reported in 2021, when a suspected Iranian state-sponsored group,
identified as ITG17 or ‘MuddyWater,’ utilized the Slack API for covert
communications.
Compared to other stealers that cast a wider net by targeting various
applications like chat platforms and cryptocurrency wallets, this specific
stealer has a narrower, more specific focus. It is designed to exclusively
pilfer login credentials and cookies from four specific browsers. The
streamlined and targeted nature of this malware suggests a tactical approach
aimed at acquiring specific sensitive information from the infected systems.
TECHNICAL ANALYSIS
INITIAL INFECTION
The malware infection is orchestrated from a link “hxxps://oshi[.]at/ougg”,
which downloads a malicious ZIP file named “SU-30_Aircraft_Procurement.zip”.
Usually, such links are shared over spam emails or chat mediums. This ZIP file
consists of an ISO file, “SU-30_Aircraft_Procurement.iso”. After being mounted,
the ISO displays a shortcut file (.lnk) named “Air HQ PR Policy.lnk,” which,
upon execution, triggers the following command:
* C:\Windows\System32\cmd.exe /c start /B .temp\.tmp.exe & .temp\sample.pdf
This command initiates the execution of a Go stealer executable named “.tmp.exe”
in the background. Concurrently, a decoy PDF file, “sample.pdf”, is displayed,
presumably to divert the attention of the user. The figure below shows the decoy
PDF.
Though there is a discrepancy between the file name
(“SU-30_Aircraft_Procurement”) and the actual content of the decoy PDF (“AIR
HEADQUARTERS HUMAN RESOURCE POLICY”), it is clear that there is a deliberate
attempt by the Threat Actor (TA) to target Indian Air Force personnel.
Figure 2 – Decoy PDF
STEALER PAYLOAD
The stealer payload is a 64-bit executable coded in the Go programming language.
Over the course of our investigations, we determined that this stealer is based
on the source code of an open-source Go stealer present on GitHub. The following
GitHub URL is present in the stealer binary.
Figure 3 – Go Stealer Strings
The code for the credential stealer, accessible on GitHub, is tailored
specifically for Firefox and Chrome browsers with the aim of stealing login
credentials and cookies. Equipped with features such as cookie extraction, the
stealer generates a JSON file to store the stolen data. Notably, the code lacks
any provisions for data exfiltration. The GitHub repository showcasing this
stealer is depicted in the figure below.
Figure 4 – GitHub Repository
The stealer used in this attack didn’t replicate, complicating the debugging
process. To address this, we utilized GoReSym, a tool released by Mandiant.
GoReSym parses Go symbol information and embedded metadata, facilitating the
analysis of stripped Go binaries. The figure below shows the type of name and
package names dumped by the GoReSym.
Figure 5 – GoReSym Output
CODE ANALYSIS
Upon execution, the stealer generates a log file named “Vujdkda.txt” in the
%temp% directory of the victim’s system. It utilizes the OS package in GoLang to
retrieve the location of the temporary directory and then appends the filename
to create the log file successfully. The code snippet below illustrates the
process of generating a file in the %temp% directory. Notably, we observed the
absence of this code in the Go Stealer code available on GitHub.
Figure 6 – Creating File in the Temp Directory
The stealer then retrieves the path to the %APPDATA% directory by utilizing the
OS.Getenv() function, which fetches the environment variable. This variable
typically holds the path to the Application Data directory on Windows. Following
this, the stealer appends the directory names “Mozilla”, “Firefox”, “Profiles”,
and the filename “keys4.db” to create the complete path.
Upon constructing the path, the function checks for the existence of this
directory. Furthermore, it searches for additional files that Firefox commonly
employs to store sensitive data such as “logins.json” and “cookies.sqlite”.
After locating the files, it starts extracting sensitive information, such as
login credentials, from the Mozilla Firefox browser.
Figure 7 – Locating Sensitive Firefox Files
Next, the stealer starts converting hexadecimal-encoded strings to raw byte
slices. This involves decoding the hexadecimal representation of the data. Then,
it performs an XOR decryption on the decoded byte slices. Finally, the decrypted
byte slice is converted to plain text strings. The intent behind this decryption
is not clear, but we suspect it is used to retrieve a list of processes to kill.
The figure below shows the decryption routine.
Figure 8 – Decryption Routine
After decrypting the strings, it starts fetching the list of running processes
using the getProcessesByName() function and the stealer payload enters a loop.
Within this loop, the killProcess() function is iteratively called to terminate
processes when a match is found. Although specifically targeted applications are
not explicitly mentioned, we suspect that the stealer aims to terminate browsers
from which it is stealing data. This suspicion arises from the observation that,
before targeting any Chromium-based browser, the stealer fetches the list of
current processes and proceeds to terminate the identified application.
Figure 9 – Terminating Process
This stealer code targets three Chromium-based browsers:
* Google Chrome
* Edge
* Brave
Instead of executing the stealing operation through a single function for
Chromium-based browsers, this variant utilizes three distinct functions, each
designed for a specific browser. While the original stealer code on GitHub was
limited to targeting only Google Chrome, this variant has been upgraded to
extend its reach to a wider array of browsers. The figure below shows the
browsers targeted by the stealer.
Figure 10 – Browsers Targeted by the Stealer
The stealer features functions like ChromeDumpCookies and ChromeCrackCredentials
that respectively fetch and decrypt all cookies or saved credentials from the
Chrome browser. Finally, the stolen data is converted to JSON format for
exfiltration. The figure below shows the code for stealing data from Chrome.
Figure 11 – Stealing Data from Chrome
The stealer variant exhibits an enhanced functionality for data exfiltration
compared to the code available on GitHub. This version leverages the Slack API
to upload stolen data to the attacker’s Slack channel. The provided Go code
snippet introduces a function named main_Vulpx specifically designed for
uploading files to Slack, leveraging the go-slack library.
Figure 12 – Exfiltration using Slack
CONCLUSION
The identified Go Stealer, disseminated through a ZIP file named
“SU-30_Aircraft_Procurement,” poses a potential threat to Indian Defense
Personnel. It is worth noting that the timing, which coincides with the Indian
Government’s announcement of the Su-30 MKI fighter jets procurement, raises
questions about possible targeted attacks or espionage.
This variant of Go Stealer is distinct from its GitHub counterpart as it
introduces advanced features such as expanded browser targeting and data
exfiltration via Slack. The choice of Slack for covert communications takes
advantage of the platform’s widespread use in enterprise networks, enabling
malicious activities to seamlessly blend with regular business traffic.
Unlike conventional stealers, which cast a wider net, this malware selectively
focuses on harvesting login credentials and cookies from browsers. The targeted
nature of the attack underscores the threat actor’s intent to gather precise and
sensitive information from Indian Air Force professionals.
OUR RECOMMENDATIONS
* The initial infiltration for malicious zip files takes place via malicious
links. It is crucial to only download files from well-known and trusted
sources and avoid opening emails from unknown senders.
* Deploy strong antivirus and anti-malware solutions to detect and remove
malicious executable files.
* Enhance the system security by creating strong, distinct passwords for each
of the accounts and, whenever feasible, activate two-factor authentication.
* Regularly back up data to guarantee the ability to recover it in case of an
infection and keep users informed about the most current phishing and social
engineering methods employed by cybercriminals.
MITRE ATT&CK® TECHNIQUES
Tactic Technique ID Technique Name Initial Access (TA0001)Phishing(T1566) Uses
malicious links to spread the ZIP archive.Execution (TA0002)User Execution
(T1203)User opens the malicious Shortcut fileDefense Evasion
(TA0005)Deobfuscate/Decode Files or Information (T1140)Stealer payload consists
of encrypted strings.Defense Evasion (TA0005)Masquerading (T1036)Lnk file
launches a decoy PDF and executes the stealer in the background.Credential
Access (TA0006)Credentials from Password Stores: Credentials from web Browsers
(T1555.003)Go Stealer can access browser data of Chrome, Firefox, Brave, and
EdgeDiscovery (TA0007)File and Directory Discovery (T1083)Go Stealer can
discover Application files and directoriesCommand and Control
(TA0011)Application Layer Protocol (T1071)Go Stealer utilizes protocols used for
web browsing.Exfiltration (TA0010)Exfiltration Over Web Service
(T1567)Exfiltration using Slack API
INDICATORS OF COMPROMISE (IOCS)
Indicators Indicator Type Details hxxps://oshi[.]at/ouggURLMalicious
URL4a8efa83fe8cfd8c9e55da2a59210ddf
35fcf115aea46f66693822a5f24ef6be3e3696da
d8da224a59f8bb89577cd7d903e9a142197e85041fdc15c9981601351ac84cd5MD5
SHA1
SHA256Zip archive7317ff828f94cc104e93c259025eb465
46bee284a2f3be9b429e014d01b5a30d0821aee9
4fa0e396cda9578143ad90ff03702a3b9c796c657f3bdaaf851ea79cb46b86d7MD5
SHA1
SHA256Malicious ISO Fileb10a77609b6420cc5247897d741ab41e
f956660e3970f293ef44437a0234c4f5588c11f3
a811a2dea86dbf6ee9a288624de029be24158fa88f5a6c10acf5bf01ae159e36MD5
SHA1
SHA256Malicious Lnk File3309ec4eb3d75c9c478fdd50c678e4e8
cea72265caf9b4746d3d925f795e62df24ff7d61
dab645ecb8b2e7722b140ffe1fd59373a899f01bc5d69570d60b8b26781c64fbMD5
SHA1
SHA256Stealer Payload
YARA RULE
rule Go_Stealer{
meta:
author = “Cyble Research and Intelligence Labs”
description = “Detects Go Stealer Targeting Indian Air
Force”
date = “2024-01-16”
os = “Windows”
strings:
$a1 = “github.com/idfp/go-stealer” fullword ascii
$a2 = “main.Cookie” fullword ascii
$a3 = “main.Credential” fullword ascii
$a4 = “slack” nocase
condition:
uint16(0) == 0x5A4D and all of them
}
RELATED
FABRICATED MICROSOFT CRYPTO WALLET PHISHING SITE SPREADS INFOSTEALER
Cyble Research and Intelligence Labs analyzes Threat Actors spreading Luca
Stealer disguised as a beta version of Microsoft Crypto Wallet.
July 21, 2023
In "Infostealer"
DUCKTAIL MALWARE FOCUSES ON TARGETING HR AND MARKETING PROFESSIONALS
CRIL analyzes DuckTail, a malware infostealer actively targeting HR and
Marketing executives to exploit their Social Media Business Accounts.
May 17, 2023
In "Stealer"
CYBLE CHRONICLES – DECEMBER 29: LATEST FINDINGS & RECOMMENDATIONS FOR THE
CYBERSECURITY COMMUNITY
Cyble recaps the week of Dec 22 - Dec 29th and all the major cyber events,
company updates and more in this wrap-up.
December 29, 2023
Similar post
Post navigation
← Previous Post
RELATED POSTS
NGROK PLATFORM ABUSED BY HACKERS TO DELIVER A NEW WAVE OF PHISHING ATTACKS
5 Comments / Darkweb, Malware / By cybleinc
Cyble's research team has found an uptick in phishing campaigns targeting
multiple organizations, including financial institutes, by abusing the ngrok
platform, a secure and introspectable…
Read More »
CONFUCIUS APT ANDROID SPYWARE TARGETS PAKISTANI AND OTHER SOUTH ASIAN REGIONS
All, Malware / By cybleinc
Two Android spyware strains named Hornbill and SunBird were recently discovered
with possible connections to the advanced persistent threat (APT) group called
Confucius. The group…
Read More »
Search for:
RECENT POSTS
* Cyber Espionage Attack on the Indian Air Force: Go-Based Infostealer Exploits
Slack for Data Theft
* Critical Account Takeover Vulnerability Impacting GitLab
* Sneaky Azorult Back in Action and Goes Undetected
* What is threat management?
* Cyble Chronicles – January 5: Latest Findings & Recommendations for the
Cybersecurity Community
CATEGORIES
* 2020
* 2021
* 2022
* 2023
* Adware
* All
* Android
* Annoucement
* APK Ransomware
* APT
* Banking Trojan
* Banking Trojan
* Clipper
* Cryptocurrency
* Cryptominer
* Cyberattack
* Cybercrime
* Cyberwarfare
* Darkweb
* Data Breach
* Data Leak
* DDOS
* Elasticsearch
* Exploit
* Exploit
* Fake App
* Fraud
* General
* Hacktivism
* ICS/SCADA
* Industrial Control Systems
* Infostealer
* Malware
* OSINT
* Phishing
* Press
* Ransomware
* Red Teaming
* Remote Access Trojan
* Scam
* Spyware
* Stealer
* Tech Scam
* Telecommunications
* Trojan
* Vulnerability
* Zero Day
QUICK LINKS
Main Menu
* Home
* About Us
* Blog
* Press
* Cyble Partner Network (CPN)
* Responsible Disclosure
* Knowledge Hub
* Sitemap
PRODUCTS
Main Menu
* Cyble Vision
* Cyble Hawk
* AmIBreached
* Cyble Odin
* The Cyber Express
SOLUTIONS
Main Menu
* Dark Web Monitoring
* Attack Surface Management
* Brand Intelligence
* Cyber Threat Intelligence
* Vulnerability Management
* Takedown and Disruption
PRIVACY POLICY
Main Menu
* Cyble Vision
* AmIBreached
© 2024. Cyble Inc.(Leading Cyber Threat Intelligence Company). All Rights
Reserved
Twitter Linkedin Youtube
Request a demo
Upcoming Events
Research Reports
Talk To Sales
Scroll to Top
Loading Comments...
Write a Comment...
Email Name Website
We use cookies to ensure that we give you the best experience on our website. If
you continue to use this site we will assume that you are happy with it.Ok
×
We Value Your Privacy
Settings
NextRoll, Inc. ("NextRoll") and our 18 advertising partners use cookies and
similar technologies on this site and use personal data (e.g., your IP address).
If you consent, the cookies, device identifiers, or other information can be
stored or accessed on your device for the purposes described below. You can
click "Allow All" or "Decline All" or click Settings above to customise your
consent regarding the purposes and features for which your personal data will be
processed and/or the partners with whom you will share personal data.
NextRoll and our advertising partners process personal data to: ● Store and/or
access information on a device; ● Create a personalised content profile; ●
Select personalised content; ● Personalised advertising, advertising
measurement, audience research and services development; ● Services development.
For some of the purposes above, our advertising partners: ● Use precise
geolocation data. Some of our partners rely on their legitimate business
interests to process personal data. View our advertising partners if you wish to
provide or deny consent for specific partners, review the purposes each partner
believes they have a legitimate interest for, and object to such processing.
If you select Decline All, you will still be able to view content on this site
and you will still receive advertising, but the advertising will not be tailored
for you. You may change your setting whenever you see the Manage consent
preferences on this site.
Decline All
Allow All
Manage consent preferences