Hackers use PowerShell commands because they provide a powerful scripting environment on Windows systems, allowing them to stealthily execute malicious scripts and commands called Operation RusticWeb.
While besides this, the PowerShell’s capabilities make it an attractive tool for gaining:-
Unauthorized access
Performing reconnaissance
Executing various cyber attacks
Cybersecurity researchers at SEQRITE Labs recently identified operation RusticWeb, in which they found threat actors using PowerShell commands to exfiltrate confidential documents.
RusticWeb Using PowerShell
The operation RusticWeb tracks overlapping tactics with Pakistan-linked APT groups like-
APT36
SideCopy
While threat actors shift from compiled languages to the following languages for cross-compatibility and evasive tactics:-
Golang
Rust
Nim
Golang malware examples include Windows-based Warp with Telegram bot C2 and Linux-based Ares RAT stager payload. Rust-based payloads in Operation RusticWeb use malicious shortcuts and a fake AWES domain for data exfiltration.
Spear-phishing targets victims with an archive file named ‘IPR_2023-24,’ triggering PowerShell to download scripts from rb[.]gy domain.
Infection Chain 1 (Source – SEQRITE Labs) The campaign started in September, with 26.53% activity from India. Fake domain ‘awesscholarship[.]in’ mimics AWES, redirecting to the official page.
PowerShell script sets up paths for payload downloads and uploads. Besides this, the decoy PDF file extraction triggers Rust-compiled EXE payload execution.
Another Rust-based malware does the following things:-
Steals files
Collects system info
Uploads via OshiUpload
New December payloads target Kailash Satyarthi Children’s Foundation, indicating a focus on Indian government officials associated with children’s foundations or societies.
In a December infection chain, maldocs were used with PowerShell scripts for enumeration and exfiltration, omitting Rust-based payloads. Two fake domains and encrypted PowerShell scripts were involved.
Phishing maldoc initiates infection with a VBA macro containing obfuscated encrypted PowerShell commands. Similar maldocs use modified PS commands, converting numbers to ‘PoWeRSHEll’ upon document opening.
PowerShell command decryption employs techniques akin to Emotet, with slight variations. Obfuscation uses Invoke-Obfuscation techniques to mask the IEX command trigger.
Decrypted PowerShell commands download decoy files and next-stage script from domains, executing them in Downloads and Documents directories.
Infection Chain 2 (Source – SEQRITE Labs) In the first scenario, the downloads occur from ‘parichay.epar[.]in,’ and in the second scenario, the fake domain mimics ‘parichay.nic[.]in,’ an Indian Government SSO platform .
Legitimate and fake Parichay domains (Source -SEQRITE Labs) The initial decoys pertain to the DSOP Fund form, and the Ministry of Defence presentation was the second. PowerShell script ‘Mail_check.ps1’ drops encrypted ‘syscheck.exe’ to Startup for persistence.
Rust-based payload with PDB name ‘Aplet.pdb’ (Dec 14 timestamp). Here below, we have mentioned all 13 file types that are shortlisted:-
.pp
.pptx
.pdf
.xlsx
.xlsm
.xls
.xlam
.doc
.docx
.docm
.txt
.dot
.ppam
New phishing hits the Indian government, stealing secrets via Rust payloads, encrypted PowerShell, and OshiUpload.
Fake domains mimic government entities in the RusticWeb attack, possibly tied to the APT threat linked to Pakistan. As threat actors adopt Golang , Rust, and Nim, researchers urged users to stay vigilant and take all the necessary security precautions.
The post Operation RusticWeb Using PowerShell Commands to Exfiltrate Confidential Documents appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform .
Top News
-
Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users
Hackers are targeting, attacking, and exploiting ML models. They want to hack into these systems to steal sensitive data, interrupt services, or...
-
U.K. Hacker Linked to Notorious Scattered Spider Group Arrested in Spain
Law enforcement authorities have allegedly arrested a key member of the notorious cybercrime group called Scattered Spider. The individual, a...
-
Lừa đảo đánh cắp mã OTP tinh vi, tấn công mạng tận dụng lỗ hổng mới
Xuất hiện lừa đảo đánh cắp mã OTP tinh vi; Hacker gia tăng tốc độ tận dụng các lỗ hổng mới,... là những thông tin công nghệ trong nước nổi bật...
-
Lừa đảo mạo danh ‘nở rộ’ trên không gian mạng và ngày càng tinh vi
Dù hình thức không mới song lừa đảo mạo danh hiện vẫn đang khiến nhiều người dân tại Việt Nam và trên thế giới sập bẫy, bị chiếm đoạt tài sản.
-
Sleepy Pickle - Kỹ thuật tấn công mới nhắm vào các mô hình học máy
Sleepy Pickle là một kỹ thuật tấn công mới lạ và bí mật nhắm vào chính mô hình ML (Machine Learning) thay vì hệ thống cơ bản. {...