Thursday, June 13, 2024

Operation RusticWeb Using PowerShell Commands to Exfiltrate Confidential Documents

Hackers use PowerShell commands because they provide a powerful scripting environment on Windows systems, allowing them to stealthily execute malicious scripts and commands called Operation RusticWeb. 

While besides this, the PowerShell’s capabilities make it an attractive tool for gaining:-

  • Unauthorized access
  • Performing reconnaissance
  • Executing various cyber attacks

Cybersecurity researchers at SEQRITE Labs recently identified operation RusticWeb, in which they found threat actors using PowerShell commands to exfiltrate confidential documents.

RusticWeb Using PowerShell

The operation RusticWeb tracks overlapping tactics with Pakistan-linked APT groups like-

  • APT36
  • SideCopy

While threat actors shift from compiled languages to the following languages for cross-compatibility and evasive tactics:-

  • Golang
  • Rust
  • Nim  

Golang malware examples include Windows-based Warp with Telegram bot C2 and Linux-based Ares RAT stager payload. Rust-based payloads in Operation RusticWeb use malicious shortcuts and a fake AWES domain for data exfiltration. 

Spear-phishing targets victims with an archive file named ‘IPR_2023-24,’ triggering PowerShell to download scripts from rb[.]gy domain. 

Infection Chain 1 (Source - SEQRITE Labs)
Infection Chain 1 (Source – SEQRITE Labs)

The campaign started in September, with 26.53% activity from India. Fake domain ‘awesscholarship[.]in’ mimics AWES, redirecting to the official page. 

PowerShell script sets up paths for payload downloads and uploads. Besides this, the decoy PDF file extraction triggers Rust-compiled EXE payload execution.

Another Rust-based malware does the following things:-

  • Steals files
  • Collects system info
  • Uploads via OshiUpload

New December payloads target Kailash Satyarthi Children’s Foundation, indicating a focus on Indian government officials associated with children’s foundations or societies.

In a December infection chain, maldocs were used with PowerShell scripts for enumeration and exfiltration, omitting Rust-based payloads. Two fake domains and encrypted PowerShell scripts were involved. 

Phishing maldoc initiates infection with a VBA macro containing obfuscated encrypted PowerShell commands. Similar maldocs use modified PS commands, converting numbers to ‘PoWeRSHEll’ upon document opening. 

PowerShell command decryption employs techniques akin to Emotet, with slight variations. Obfuscation uses Invoke-Obfuscation techniques to mask the IEX command trigger. 

Decrypted PowerShell commands download decoy files and next-stage script from domains, executing them in Downloads and Documents directories.

Infection Chain 2 (Source - SEQRITE Labs)
Infection Chain 2 (Source – SEQRITE Labs)

In the first scenario, the downloads occur from ‘parichay.epar[.]in,’ and in the second scenario, the fake domain mimics ‘parichay.nic[.]in,’ an Indian Government SSO platform.

Legitimate and fake Parichay domains (Source -SEQRITE Labs)
Legitimate and fake Parichay domains (Source -SEQRITE Labs)

The initial decoys pertain to the DSOP Fund form, and the Ministry of Defence presentation was the second. PowerShell script ‘Mail_check.ps1’ drops encrypted ‘syscheck.exe’ to Startup for persistence. 

Rust-based payload with PDB name ‘Aplet.pdb’ (Dec 14 timestamp). Here below, we have mentioned all 13 file types that are shortlisted:-

  • .pp
  • .pptx
  • .pdf
  • .xlsx
  • .xlsm
  • .xls
  • .xlam
  • .doc
  • .docx
  • .docm
  • .txt
  • .dot
  • .ppam

New phishing hits the Indian government, stealing secrets via Rust payloads, encrypted PowerShell, and OshiUpload.

Fake domains mimic government entities in the RusticWeb attack, possibly tied to the APT threat linked to Pakistan. As threat actors adopt Golang, Rust, and Nim, researchers urged users to stay vigilant and take all the necessary security precautions.


Latest articles

CISA Warns of Scammers Impersonating as CISA Employees

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a surge...

Microsoft Windows Ntqueryinformationtoken Flaw Let Attackers Escalate Privileges

Microsoft has disclosed a critical vulnerability identified as CVE-2024-30088.With a CVSS score of 8.8, this flaw affects Microsoft...

256,000+ Publicly Exposed Windows Servers Vulnerable to MSMQ RCE Flaw

Cybersecurity watchdog Shadowserver has identified 256,000+ publicly exposed servers vulnerable to a critical Remote...

Indian National Jailed For Hacked Servers Of Company That Fired Him

An Indian national was sentenced to two years and eight months in jail for...

JetBrains Warns of GitHub Plugin that Exposes Access Tokens

A critical vulnerability (CVE-2024-37051) in the JetBrains GitHub plugin for IntelliJ-based IDEs (2023.1 and...

Critical Flaw In Apple Ecosystems Let Attackers Gain Unauthorized Access

Hackers go for Apple due to its massive user base along with rich customers,...

Hackers Exploiting Linux SSH Services to Deploy Malware

SSH and RDP provide remote access to server machines (Linux and Windows respectively) for...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles