Researchers have uncovered a highly sophisticated cyber-espionage campaign -called 'Operation RusticWeb'. This operation acts as a threat actor for targeting various personnel within the Indian government to steal confidential documents. As per the new report which surfaced on Wednesday, the campaign was first detected in October 2023 - as it was using Rust-based malware and encrypted PowerShell commands, to exfiltrate confidential documents, according to Seqrite, the enterprise arm of global cybersecurity solutions provider, Quick Heal.
The researchers said, "The campaign is initiated with a phishing campaign, targeting government personnel. Threat actors have exploited both, compromised and fake domains, to host malicious payloads and decoy files, ranging from IPR forms to fake domains mimicking prestigious organisations like the Army Welfare Education Society (AWES).”
They further added, "The decoy files, designed to lure victims into the malicious web, include forms related to Defence Services Officers Provident Fund and presentations on initiatives with the Ministry of Defence.”
The hackers further exfiltrate sensitive documents via a web-based service engine, adding a layer of sophistication to their cyber-espionage tactics.
- The first observed infection chain which heavily relied on Rust-based payloads, with a malicious shortcut file triggering an elaborate sequence leading to the exfiltration of sensitive data.
- The second infection chain, observed in December 2023, deployed maldocs by using the encrypted PowerShell commands, showcasing the threat actors' versatility and adaptability, as per the report.
The final payload of the cyber-espionage campaign is a Rust-based malware which operates as a data stealer. The researchers further state that this sophisticated malware is not only stealing the files but also collecting system information, ensuring an extensive reconnaissance capability.
The threat actors employ an anonymous public file-sharing engine, OshiUpload, for data exfiltration, avoiding the conventional use of dedicated command-and-control servers.
ALSO READ: Mark Zuckerberg to give deposition in Texas lawsuit over facial recognition
Inputs from IANS