Threat Research

Cyber Espionage Attack On The Indian Air Force: Go-Based Infostealer Exploits Slack For Data Theft – Cyble

Securonix

CRIL identified a Go Stealer variant potentially targeting Indian Air Force personnel, distributed via a ZIP named “SU-30_Aircraft_Procurement” hosted on Oshi. The attack chain progresses ZIP -> ISO -> LNK to deploy a Go-based credential stealer that exfiltrates data via Slack.

Keypoints

  • CRIL identified a Go Stealer variant potentially targeting the Indian Air Force.
  • The payload is distributed as a ZIP named “SU-30_Aircraft_Procurement” hosted on Oshi.
  • Infection chain: ZIP → ISO → .lnk (Air HQ PR Policy.lnk) → stealer executable, with a decoy PDF.
  • The stealer targets login credentials and cookies from four browsers and stores data in JSON.
  • The Go Stealer is a GitHub-based variant with extra features like broader browser targeting and Slack-based exfiltration.
  • Attribution to a specific threat actor is currently unclear; timing relates to Su-30 MKI procurement in Sept 2023.

MITRE Techniques

  • [T1566] Phishing – Uses malicious links to spread the ZIP archive. “Uses malicious links to spread the ZIP archive.”
  • [T1203] User Execution – “User opens the malicious Shortcut file”
  • [T1140] Deobfuscate/Decode Files or Information – “Stealer payload consists of encrypted strings.”
  • [T1036] Masquerading – “Lnk file launches a decoy PDF and executes the stealer in the background.”
  • [T1555] Credentials from Web Browsers – “Go Stealer can access browser data of Chrome, Firefox, Brave, and Edge”
  • [T1083] File and Directory Discovery – “Go Stealer can discover Application files and directories”
  • [T1071] Application Layer Protocol – “Go Stealer utilizes protocols used for web browsing.”
  • [T1567] Exfiltration Over Web Service – “Exfiltration using Slack API”

Indicators of Compromise

  • [URL] Malicious URL – hxxps://oshi[.]at/ougg
  • [Hash] ZIP archive – 4a8efa83fe8cfd8c9e55da2a59210ddf, 35fcf115aea46f66693822a5f24ef6be3e3696da
  • [Hash] Malicious ISO file – 7317ff828f94cc104e93c259025eb465, 46bee284a2f3be9b429e014d01b5a30d0821aee9
  • [Hash] Malicious LNK file – b10a77609b6420cc5247897d741ab41e, f956660e3970f293ef44437a0234c4f5588c11f3
  • [Hash] Stealer Payload – 3309ec4eb3d75c9c478fdd50c678e4e8cea72265caf9b4746d3d925f795e62df24ff7d61, dab645ecb8b2e7722b140ffe1fd59373a899f01bc5d69570d60b8b26781c64fb
  • [File name] SU-30_Aircraft_Procurement.zip – distribution file
  • [File name] Air HQ PR Policy.lnk – decoy link
  • [File name] logins.json – browser credential store (example)
  • [File name] cookies.sqlite – browser cookie store (example)

Read more: https://cyble.com/blog/cyber-espionage-attack-on-the-indian-air-force-go-based-infostealer-exploits-slack-for-data-theft/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint