Commercially-available malware, with minimal modification, is behind attacks against the Indian government, says Cisco’s Talos security research group.
It’s a well-known fact that powerful malware can be bought on the dark web and used with relative ease. A new report from Cisco’s Talos cybersecurity research team illustrates just how dangerous out-of-the-box remote access trojan malware can be: A campaign it has dubbed “Armor Piercer” has been attacking the Indian government since December 2020.
Armor Piercer bears many of the hallmarks of an advanced persistent threat group known as APT36, or Mythic Leopard, believed to operate out of Pakistan. In particular, the report cites lures and tactics that “bear a strong resemblance” to the type used by Mythic Leopard.
SEE: Security incident response policy (TechRepublic Premium)
On the other hand, the report said what makes it seem that a skilled APT may not be behind the Armor Piercer campaign: “Two commercial and commodity RAT families known as NetwireRAT (aka NetwireRC) and WarzoneRAT (aka Ave Maria)” were found to be behind the attacks against the government and military of India.
“Unlike many crimeware and APT attacks, this campaign uses relatively simple, straightforward infection chains. The attackers have not developed bespoke malware or infrastructure management scripts to carry out their attacks, but the use of pre-baked artifacts doesn’t diminish the lethality,” Talos said in its report.
RATs that can be purchased on the dark web have extensive feature sets, Talos said, with many allowing total control of infected systems and the ability to establish a foothold from which to deploy additional malware as easy as deploying packages and modules from a GUI dashboard.
As is often the case with modern malware campaigns, the Armor Piercer campaign uses malicious Microsoft Office documents. Laced with malicious VBA macros and scripts, the document downloads malware loaders from remote websites once it is opened by an unsuspecting user. The final goal of the installer is to drop a RAT on the system that can maintain access, allow further penetration into a network and exfiltrate data.
The RATs used by the attackers behind Armor Piercer have extensive capabilities. NetwireRAT is able to steal credentials from browsers, execute arbitrary commands, gather system info, modify, delete and create files, enumerate and terminate processes, log keys, and more.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
WarzoneRAT makes its case in an impressive rundown of its features, pulled from a dark web ad and available in the Talos report linked above. It’s able to operate independent of .NET, provides 60 FPS remote control of infected computers, hidden remote desktop, UAC bypass privilege escalation, webcam streaming from infected computers, password recovery from browsers and mail apps, live and offline keyloggers, reverse proxy, remote file management and more.
Ready-made RATs and other malware aren’t necessarily the sign of a lazy, inexperienced or small-time operation. “Ready-made artifacts such as commodity or cracked RATs and mailers allow the attackers to rapidly operationalize new campaigns while focusing on their key tactic: tricking victims into infecting themselves,” Talos said.
It’s unknown if this particular attack is likely to move outside of India, or if similar tactics are being used elsewhere in the world (I reached out to Talos but didn’t get a response by publication time). The threat of out-of-the-box malware remains, regardless of where an organization is located: It’s easily available, relatively cheap and if it’s good enough to worm its way into a government computer system it’s probably able to do the same thing to yours.