cyble.com
Open in
urlscan Pro
192.0.78.231
Public Scan
URL:
https://cyble.com/blog/cyber-espionage-attack-on-the-indian-air-force-go-based-infostealer-exploits-slack-for-data...
Submission: On January 18 via api from TR — Scanned from DE
Submission: On January 18 via api from TR — Scanned from DE
Form analysis
2 forms found in the DOMGET https://cyble.com/
<form role="search" method="get" class="search-form" action="https://cyble.com/" data-cb-wrapper="true">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Search..." value="" name="s" tabindex="-1">
</label>
<input type="submit" class="search-submit" value="Search">
</form>
<form id="jp-carousel-comment-form" data-cb-wrapper="true">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>
Text Content
Skip to content Report an Incident | Get Support * Home * ProductsMenu Toggle * For Enterprises(B2B) and GovernmentsMenu Toggle * Cyble Vision Secure your business from emerging threats and limit opportunities for your adversaries. * Cyble Hawk Protects ultra sensitive data and assets. * For Enterprises(B2B) and Individuals(B2C)Menu Toggle * AmIBreached Enables consumers and organizations to Identify, Prioritize and Mitigate darkweb risks. * Cyble Odin Meet The All-Father of Internet Scanning * The Cyber Express #1 Trending Cyber Security News and Magazine * We’ve just released an update! CHECK OUT THE ALL NEW DASHBOARD VIEW ON CYBLE VISION. * SolutionsMenu Toggle * Function WiseMenu Toggle * Attack Surface Management * Brand Intelligence * Cyber Threat Intelligence * Dark Web Monitoring * Vulnerability Management * Takedown and Disruption * Industry WiseMenu Toggle * Financial Services * Retail and CPG * Healthcare & Pharmaceuticals * Technology Industry * Educational Platform * Role WiseMenu Toggle * Information Security * Corporate Security * Marketing * ResourcesMenu Toggle * Blog * Knowledge Hub * Case Studies * Research Reports * Whitepapers * Thought Leadership * SAMA Compliance * Press * Upcoming Events * Careers * PartnersMenu Toggle * Cyble Partner Network (CPN) * Partner Portal Login * Become a Partner * About Us Talk to Sales Schedule a Demo Schedule a Demo Our Annual Threat Landscape report is now available Our Annual Threat Landscape report is now available Main Menu * Home * ProductsMenu Toggle * For Enterprises(B2B) and GovernmentsMenu Toggle * Cyble Vision Secure your business from emerging threats and limit opportunities for your adversaries. * Cyble Hawk Protects ultra sensitive data and assets. * For Enterprises(B2B) and Individuals(B2C)Menu Toggle * AmIBreached Enables consumers and organizations to Identify, Prioritize and Mitigate darkweb risks. * Cyble Odin Meet The All-Father of Internet Scanning * The Cyber Express #1 Trending Cyber Security News and Magazine * We’ve just released an update! CHECK OUT THE ALL NEW DASHBOARD VIEW ON CYBLE VISION. * SolutionsMenu Toggle * Function WiseMenu Toggle * Attack Surface Management * Brand Intelligence * Cyber Threat Intelligence * Dark Web Monitoring * Vulnerability Management * Takedown and Disruption * Industry WiseMenu Toggle * Financial Services * Retail and CPG * Healthcare & Pharmaceuticals * Technology Industry * Educational Platform * Role WiseMenu Toggle * Information Security * Corporate Security * Marketing * ResourcesMenu Toggle * Blog * Knowledge Hub * Case Studies * Research Reports * Whitepapers * Thought Leadership * SAMA Compliance * Press * Upcoming Events * Careers * PartnersMenu Toggle * Cyble Partner Network (CPN) * Partner Portal Login * Become a Partner * About Us January 17, 2024 CYBER ESPIONAGE ATTACK ON THE INDIAN AIR FORCE: GO-BASED INFOSTEALER EXPLOITS SLACK FOR DATA THEFT KEY TAKEAWAYS * Cyble Research and Intelligence Labs (CRIL) identified a Go Stealer variant potentially targeting the Indian Air Force. * The malware payload is distributed through a ZIP file named “SU-30_Aircraft_Procurement,” which is hosted on Oshi, an anonymous file storage. * In September 2023, the Indian Defense Ministry approved the procurement of 12 Su-30 MKI fighter jets as part of its ongoing defense modernization efforts. * The Threat Actor (TA) appears to be exploiting this event to target Indian Air Force professionals. * The sequence of infection in the attack involves a progression from a zip file to an ISO file, followed by a .lnk file, ultimately leading to the deployment of a stealer payload. * This stealer is a variant of a Go Stealer present on GitHub. However, it includes additional features like targeting more browsers and data exfiltration using Slack. Unlike other stealers that target a variety of applications, this stealer focuses specifically on harvesting login credentials and cookies from four browsers. * Attributing this campaign to a specific Threat Actor (TA) or group is challenging due to the limited information available at the moment. OVERVIEW CRIL has uncovered a Go Stealer possibly targeting the Indian Air Force. This malware is propagated through a ZIP file named “SU-30_Aircraft_Procurement”. The ZIP file is hosted on Oshi (hxxps://oshi[.]at/ougg), an anonymous file storage platform and the Threat Actor (TA) could potentially be distributing this link via spam email or similar channels. It is worth noting that in September 2023, the Indian defense ministry approved a project to acquire 12 Su-30 MKI fighter jets. The Threat Actor (TA) seems to be leveraging this notification as a means to create bait to target professionals within the Indian Air Force. The Threat Actor (TA) behind this attack is currently unknown due to the limited availability of information. The attack unfolds in a sequence involving a ZIP file, an .iso file, a .lnk file, and, ultimately, the deployment of the stealer payload. The figure below shows the infection chain. Figure 1 – Infection Chain Technical Content! Subscribe to Unlock Sign up and get access to Cyble Research and Intelligence Labs' exclusive contents Email Unlock this Content This stealer has been identified as a variant of a Go Stealer that is available on GitHub, which distinguishes itself by incorporating additional functionalities. These include an expanded capacity to target multiple browsers and the capability for data exfiltration via Slack. This technique is not new, as it was also reported in 2021, when a suspected Iranian state-sponsored group, identified as ITG17 or ‘MuddyWater,’ utilized the Slack API for covert communications. Compared to other stealers that cast a wider net by targeting various applications like chat platforms and cryptocurrency wallets, this specific stealer has a narrower, more specific focus. It is designed to exclusively pilfer login credentials and cookies from four specific browsers. The streamlined and targeted nature of this malware suggests a tactical approach aimed at acquiring specific sensitive information from the infected systems. TECHNICAL ANALYSIS INITIAL INFECTION The malware infection is orchestrated from a link “hxxps://oshi[.]at/ougg”, which downloads a malicious ZIP file named “SU-30_Aircraft_Procurement.zip”. Usually, such links are shared over spam emails or chat mediums. This ZIP file consists of an ISO file, “SU-30_Aircraft_Procurement.iso”. After being mounted, the ISO displays a shortcut file (.lnk) named “Air HQ PR Policy.lnk,” which, upon execution, triggers the following command: * C:\Windows\System32\cmd.exe /c start /B .temp\.tmp.exe & .temp\sample.pdf This command initiates the execution of a Go stealer executable named “.tmp.exe” in the background. Concurrently, a decoy PDF file, “sample.pdf”, is displayed, presumably to divert the attention of the user. The figure below shows the decoy PDF. Though there is a discrepancy between the file name (“SU-30_Aircraft_Procurement”) and the actual content of the decoy PDF (“AIR HEADQUARTERS HUMAN RESOURCE POLICY”), it is clear that there is a deliberate attempt by the Threat Actor (TA) to target Indian Air Force personnel. Figure 2 – Decoy PDF STEALER PAYLOAD The stealer payload is a 64-bit executable coded in the Go programming language. Over the course of our investigations, we determined that this stealer is based on the source code of an open-source Go stealer present on GitHub. The following GitHub URL is present in the stealer binary. Figure 3 – Go Stealer Strings The code for the credential stealer, accessible on GitHub, is tailored specifically for Firefox and Chrome browsers with the aim of stealing login credentials and cookies. Equipped with features such as cookie extraction, the stealer generates a JSON file to store the stolen data. Notably, the code lacks any provisions for data exfiltration. The GitHub repository showcasing this stealer is depicted in the figure below. Figure 4 – GitHub Repository The stealer used in this attack didn’t replicate, complicating the debugging process. To address this, we utilized GoReSym, a tool released by Mandiant. GoReSym parses Go symbol information and embedded metadata, facilitating the analysis of stripped Go binaries. The figure below shows the type of name and package names dumped by the GoReSym. Figure 5 – GoReSym Output CODE ANALYSIS Upon execution, the stealer generates a log file named “Vujdkda.txt” in the %temp% directory of the victim’s system. It utilizes the OS package in GoLang to retrieve the location of the temporary directory and then appends the filename to create the log file successfully. The code snippet below illustrates the process of generating a file in the %temp% directory. Notably, we observed the absence of this code in the Go Stealer code available on GitHub. Figure 6 – Creating File in the Temp Directory The stealer then retrieves the path to the %APPDATA% directory by utilizing the OS.Getenv() function, which fetches the environment variable. This variable typically holds the path to the Application Data directory on Windows. Following this, the stealer appends the directory names “Mozilla”, “Firefox”, “Profiles”, and the filename “keys4.db” to create the complete path. Upon constructing the path, the function checks for the existence of this directory. Furthermore, it searches for additional files that Firefox commonly employs to store sensitive data such as “logins.json” and “cookies.sqlite”. After locating the files, it starts extracting sensitive information, such as login credentials, from the Mozilla Firefox browser. Figure 7 – Locating Sensitive Firefox Files Next, the stealer starts converting hexadecimal-encoded strings to raw byte slices. This involves decoding the hexadecimal representation of the data. Then, it performs an XOR decryption on the decoded byte slices. Finally, the decrypted byte slice is converted to plain text strings. The intent behind this decryption is not clear, but we suspect it is used to retrieve a list of processes to kill. The figure below shows the decryption routine. Figure 8 – Decryption Routine After decrypting the strings, it starts fetching the list of running processes using the getProcessesByName() function and the stealer payload enters a loop. Within this loop, the killProcess() function is iteratively called to terminate processes when a match is found. Although specifically targeted applications are not explicitly mentioned, we suspect that the stealer aims to terminate browsers from which it is stealing data. This suspicion arises from the observation that, before targeting any Chromium-based browser, the stealer fetches the list of current processes and proceeds to terminate the identified application. Figure 9 – Terminating Process This stealer code targets three Chromium-based browsers: * Google Chrome * Edge * Brave Instead of executing the stealing operation through a single function for Chromium-based browsers, this variant utilizes three distinct functions, each designed for a specific browser. While the original stealer code on GitHub was limited to targeting only Google Chrome, this variant has been upgraded to extend its reach to a wider array of browsers. The figure below shows the browsers targeted by the stealer. Figure 10 – Browsers Targeted by the Stealer The stealer features functions like ChromeDumpCookies and ChromeCrackCredentials that respectively fetch and decrypt all cookies or saved credentials from the Chrome browser. Finally, the stolen data is converted to JSON format for exfiltration. The figure below shows the code for stealing data from Chrome. Figure 11 – Stealing Data from Chrome The stealer variant exhibits an enhanced functionality for data exfiltration compared to the code available on GitHub. This version leverages the Slack API to upload stolen data to the attacker’s Slack channel. The provided Go code snippet introduces a function named main_Vulpx specifically designed for uploading files to Slack, leveraging the go-slack library. Figure 12 – Exfiltration using Slack CONCLUSION The identified Go Stealer, disseminated through a ZIP file named “SU-30_Aircraft_Procurement,” poses a potential threat to Indian Defense Personnel. It is worth noting that the timing, which coincides with the Indian Government’s announcement of the Su-30 MKI fighter jets procurement, raises questions about possible targeted attacks or espionage. This variant of Go Stealer is distinct from its GitHub counterpart as it introduces advanced features such as expanded browser targeting and data exfiltration via Slack. The choice of Slack for covert communications takes advantage of the platform’s widespread use in enterprise networks, enabling malicious activities to seamlessly blend with regular business traffic. Unlike conventional stealers, which cast a wider net, this malware selectively focuses on harvesting login credentials and cookies from browsers. The targeted nature of the attack underscores the threat actor’s intent to gather precise and sensitive information from Indian Air Force professionals. OUR RECOMMENDATIONS * The initial infiltration for malicious zip files takes place via malicious links. It is crucial to only download files from well-known and trusted sources and avoid opening emails from unknown senders. * Deploy strong antivirus and anti-malware solutions to detect and remove malicious executable files. * Enhance the system security by creating strong, distinct passwords for each of the accounts and, whenever feasible, activate two-factor authentication. * Regularly back up data to guarantee the ability to recover it in case of an infection and keep users informed about the most current phishing and social engineering methods employed by cybercriminals. MITRE ATT&CK® TECHNIQUES Tactic Technique ID Technique Name Initial Access (TA0001)Phishing(T1566) Uses malicious links to spread the ZIP archive.Execution (TA0002)User Execution (T1203)User opens the malicious Shortcut fileDefense Evasion (TA0005)Deobfuscate/Decode Files or Information (T1140)Stealer payload consists of encrypted strings.Defense Evasion (TA0005)Masquerading (T1036)Lnk file launches a decoy PDF and executes the stealer in the background.Credential Access (TA0006)Credentials from Password Stores: Credentials from web Browsers (T1555.003)Go Stealer can access browser data of Chrome, Firefox, Brave, and EdgeDiscovery (TA0007)File and Directory Discovery (T1083)Go Stealer can discover Application files and directoriesCommand and Control (TA0011)Application Layer Protocol (T1071)Go Stealer utilizes protocols used for web browsing.Exfiltration (TA0010)Exfiltration Over Web Service (T1567)Exfiltration using Slack API INDICATORS OF COMPROMISE (IOCS) Indicators Indicator Type Details hxxps://oshi[.]at/ouggURLMalicious URL4a8efa83fe8cfd8c9e55da2a59210ddf 35fcf115aea46f66693822a5f24ef6be3e3696da d8da224a59f8bb89577cd7d903e9a142197e85041fdc15c9981601351ac84cd5MD5 SHA1 SHA256Zip archive7317ff828f94cc104e93c259025eb465 46bee284a2f3be9b429e014d01b5a30d0821aee9 4fa0e396cda9578143ad90ff03702a3b9c796c657f3bdaaf851ea79cb46b86d7MD5 SHA1 SHA256Malicious ISO Fileb10a77609b6420cc5247897d741ab41e f956660e3970f293ef44437a0234c4f5588c11f3 a811a2dea86dbf6ee9a288624de029be24158fa88f5a6c10acf5bf01ae159e36MD5 SHA1 SHA256Malicious Lnk File3309ec4eb3d75c9c478fdd50c678e4e8 cea72265caf9b4746d3d925f795e62df24ff7d61 dab645ecb8b2e7722b140ffe1fd59373a899f01bc5d69570d60b8b26781c64fbMD5 SHA1 SHA256Stealer Payload YARA RULE rule Go_Stealer{ meta: author = “Cyble Research and Intelligence Labs” description = “Detects Go Stealer Targeting Indian Air Force” date = “2024-01-16” os = “Windows” strings: $a1 = “github.com/idfp/go-stealer” fullword ascii $a2 = “main.Cookie” fullword ascii $a3 = “main.Credential” fullword ascii $a4 = “slack” nocase condition: uint16(0) == 0x5A4D and all of them } RELATED FABRICATED MICROSOFT CRYPTO WALLET PHISHING SITE SPREADS INFOSTEALER Cyble Research and Intelligence Labs analyzes Threat Actors spreading Luca Stealer disguised as a beta version of Microsoft Crypto Wallet. July 21, 2023 In "Infostealer" DUCKTAIL MALWARE FOCUSES ON TARGETING HR AND MARKETING PROFESSIONALS CRIL analyzes DuckTail, a malware infostealer actively targeting HR and Marketing executives to exploit their Social Media Business Accounts. May 17, 2023 In "Stealer" CYBLE CHRONICLES – DECEMBER 29: LATEST FINDINGS & RECOMMENDATIONS FOR THE CYBERSECURITY COMMUNITY Cyble recaps the week of Dec 22 - Dec 29th and all the major cyber events, company updates and more in this wrap-up. December 29, 2023 Similar post Post navigation ← Previous Post RELATED POSTS NGROK PLATFORM ABUSED BY HACKERS TO DELIVER A NEW WAVE OF PHISHING ATTACKS 5 Comments / Darkweb, Malware / By cybleinc Cyble's research team has found an uptick in phishing campaigns targeting multiple organizations, including financial institutes, by abusing the ngrok platform, a secure and introspectable… Read More » CONFUCIUS APT ANDROID SPYWARE TARGETS PAKISTANI AND OTHER SOUTH ASIAN REGIONS All, Malware / By cybleinc Two Android spyware strains named Hornbill and SunBird were recently discovered with possible connections to the advanced persistent threat (APT) group called Confucius. The group… Read More » Search for: RECENT POSTS * Cyber Espionage Attack on the Indian Air Force: Go-Based Infostealer Exploits Slack for Data Theft * Critical Account Takeover Vulnerability Impacting GitLab * Sneaky Azorult Back in Action and Goes Undetected * What is threat management? * Cyble Chronicles – January 5: Latest Findings & Recommendations for the Cybersecurity Community CATEGORIES * 2020 * 2021 * 2022 * 2023 * Adware * All * Android * Annoucement * APK Ransomware * APT * Banking Trojan * Banking Trojan * Clipper * Cryptocurrency * Cryptominer * Cyberattack * Cybercrime * Cyberwarfare * Darkweb * Data Breach * Data Leak * DDOS * Elasticsearch * Exploit * Exploit * Fake App * Fraud * General * Hacktivism * ICS/SCADA * Industrial Control Systems * Infostealer * Malware * OSINT * Phishing * Press * Ransomware * Red Teaming * Remote Access Trojan * Scam * Spyware * Stealer * Tech Scam * Telecommunications * Trojan * Vulnerability * Zero Day QUICK LINKS Main Menu * Home * About Us * Blog * Press * Cyble Partner Network (CPN) * Responsible Disclosure * Knowledge Hub * Sitemap PRODUCTS Main Menu * Cyble Vision * Cyble Hawk * AmIBreached * Cyble Odin * The Cyber Express SOLUTIONS Main Menu * Dark Web Monitoring * Attack Surface Management * Brand Intelligence * Cyber Threat Intelligence * Vulnerability Management * Takedown and Disruption PRIVACY POLICY Main Menu * Cyble Vision * AmIBreached © 2024. Cyble Inc.(Leading Cyber Threat Intelligence Company). All Rights Reserved Twitter Linkedin Youtube Request a demo Upcoming Events Research Reports Talk To Sales Scroll to Top Loading Comments... Write a Comment... Email Name Website We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok × We Value Your Privacy Settings NextRoll, Inc. ("NextRoll") and our 18 advertising partners use cookies and similar technologies on this site and use personal data (e.g., your IP address). If you consent, the cookies, device identifiers, or other information can be stored or accessed on your device for the purposes described below. You can click "Allow All" or "Decline All" or click Settings above to customise your consent regarding the purposes and features for which your personal data will be processed and/or the partners with whom you will share personal data. NextRoll and our advertising partners process personal data to: ● Store and/or access information on a device; ● Create a personalised content profile; ● Select personalised content; ● Personalised advertising, advertising measurement, audience research and services development; ● Services development. For some of the purposes above, our advertising partners: ● Use precise geolocation data. Some of our partners rely on their legitimate business interests to process personal data. View our advertising partners if you wish to provide or deny consent for specific partners, review the purposes each partner believes they have a legitimate interest for, and object to such processing. If you select Decline All, you will still be able to view content on this site and you will still receive advertising, but the advertising will not be tailored for you. You may change your setting whenever you see the Manage consent preferences on this site. Decline All Allow All Manage consent preferences