Researchers found ‘Operation RusticWeb’, a cyber-espionage campaign targeting Indian government employees to obtain critical papers. Phishing took place on compromised and phony sites to host harmful payloads and decoy files. Hackers used a web-based service engine to exfiltrate confidential documents, showing their agility.
‘Operation RusticWeb’ is a sophisticated cyber-espionage effort discovered by researchers. This operation threatens Indian government employees to steal classified documents. Seqrite, the enterprise arm of global cybersecurity solutions provider Quick Heal, reported on Wednesday that the campaign was first detected in October 2023 using Rust-based malware and encrypted PowerShell commands to exfiltrate confidential documents.
Researchers said, “A government employee-targeted phishing attack begins. Threat actors have used compromised and false domains to host malicious payloads and decoy files, including IPR forms and phony websites imitating respectable organizations like the Army Welfare Education Society.
They stated, “The decoy files, meant to lead users into the malicious web, include Defence Services Officers Provident Fund forms and Ministry of Defence presentations.
Hackers use a web-based service engine to steal sensitive material on a more sophisticated level.
First infection chain to use Rust-based payloads, with a malicious shortcut file starting an extensive sequence to steal sensitive data.
The second infection chain, identified in December 2023, disseminated maldocs via encrypted PowerShell instructions, demonstrating threat actors' agility, the research said. The cyber-espionage campaign ends with Rust-based data-stealing malware. The researchers say this sophisticated virus steals files and collects system information, enabling extended reconnaissance.
Instead of command-and-control servers, the threat actors use OshiUpload, an anonymous public file-sharing engine, to exfiltrate data.
Conclusion
Researchers found ‘Operation RusticWeb’, a sophisticated cyber-espionage campaign targeting Indian government employees to obtain critical papers. The Rust-based malware and encrypted PowerShell commands attack began in October 2023. The effort hosted malware payloads and decoy files on compromised and false domains, including Defence Services Officers Provident Fund and Ministry of Defence forms. Hackers used a web-based service engine to steal sensitive data. The malware took files and collected system data, showing threat actors’ adaptability.
