Indian government entities and the defense sector are under threat from a phishing campaign, known as Operation RusticWeb, which employs Rust-based malware for intelligence gathering. SEQRITE, an enterprise security firm, detected this activity in October 2023. The campaign involves the deployment of new Rust-based payloads and encrypted PowerShell commands to exfiltrate confidential documents. Notably, the malware uses a web-based service engine for data exfiltration instead of a dedicated command-and-control server.
The phishing campaign, named Operation RusticWeb, poses a significant risk to Indian government bodies and the defense sector. SEQRITE has identified tactical similarities between the threat actor behind this campaign and those associated with Transparent Tribe and SideCopy, both believed to have links to Pakistan. The attackers use various infection chains, including phishing emails with malicious PDF files that drop Rust-based payloads. These payloads are designed to enumerate the file system and collect system information, transmitting the data to a command-and-control server.
The malware employed in Operation RusticWeb lacks some of the advanced features found in other stealer malware, focusing primarily on file system enumeration and data exfiltration. A second infection chain, discovered in December, follows a similar multi-stage process but replaces the Rust malware with a PowerShell script. Notably, the final-stage payload is executed through a Rust executable named “Cisco AnyConnect Web Helper.” The collected information is uploaded to an anonymous public file-sharing engine.
The campaign’s potential connection to an advanced persistent threat (APT) is suggested due to similarities with various Pakistan-linked groups. This disclosure comes on the heels of Cyble uncovering a malicious Android app utilized by the DoNot Team targeting individuals in the Kashmir region of India. The DoNot group, also known as APT-C-35, Origami Elephant, and SECTOR02, is believed to have Indian origins and has a history of using Android malware for infiltration. The group’s persistent efforts to refine tools and techniques highlight the ongoing threat they pose, particularly in the sensitive Kashmir region of India.