Poorly-executed cyber attacks from India target Pakistan

1
127

Cyber-security researchers have discovered a family of information-stealing malware targeting Pakistan that originates out of India, a leading portal reported on Friday.

Dark Reading, a comprehensive news and information portal focusing on IT security, said unlike other known cyber-espionage campaigns, this one appeared oddly rudimentary in that it used publicly available tools and basic obfuscation methods, and didn’t encrypt its command-and-control communications.

“String obfuscation using simple rotation (a shift cipher), no cryptography used in network communication, persistence achieved through the startup menu and use of existing, publicly-available tools to gather information on infected systems shows that the attackers did not go to great lengths to cover their tracks.

“On the other hand, maybe they see no need to implement stealthier techniques because the simple ways still work,” wrote Jean-Ian Boutin, a malware researcher with Eset.

The malware campaign is at least two years old and is spread via phishing emails with rigged Word and PDF files, according to Eset.

It steals sensitive information via keyloggers, screenshots, and uploading stolen documents, unencrypted.

“The decision not to use encryption is puzzling considering that adding basic encryption would be easy and provide additional stealth to the operation,” Boutin says.

According to the report, the attack uses a code-signing certificate issued in 2011 to New Delhi-based Technical and Commercial Consulting Pvt Ltd, and is designed to ensure the malware binaries could spread within the victim organisation.

The certificate had been revoked in late March 2012, but was still in use. Eset contacted VeriSign, which revoked the certificate. Eset found more than 70 binary files signed with the malicious certificate.

According to the report, among the attachments was one that appeared to be about Indian military secrets. “We do not have precise information as to which individuals or organisations were really, specifically targeted by these files but based on our investigations, it is our assumption that people and institutions in Pakistan were targeted,” Boutin says.

Nearly 80 percent of the infections are in Pakistan, according to Eset. One version of the attack exploits a known and patched Microsoft Office flaw, CVE-2012-0158. The malware executes once the victim opens a malicious Word attachment; the other method used in the attack uses PE files that appear to be Word or PDF attachments.

The report said that the attackers used NirSoft’s WebPassView and Mail PassView tools for recovering passwords in email clients and browser stores; the tools were signed by the malicious certificate.

1 COMMENT

Comments are closed.