A suspected Pakistani group has started modern phishing attacks on India's sensitive infrastructures such as power, telecom and finance, according to a leading cybersecurity firm.
Pentapostagma reported that a cybersecurity consultant of Quick Heal Technologies said that a suspected Pakistani group has started a wave of sophisticated phishing attacks targeting India's crucial infrastructure such as power and telecom.
As per the security consultant, the initial intrusion chain begins with a spear-phishing email -- an email that is designed to get the user to install a virus, trojan or other malware.
Often, the emails pretend to be from government agencies, and also come attached with a fake document -- such as an IT return -- and urges the user to download and open it, reported Pentapostagma.
The firm found that the hackers would create fake websites that people working in the targeted organization would generally access.
"The email content attempts to lure the user into extracting the attached zip archive. Upon extraction, the user would see a document file which is in fact an extension spoofed LNK file which is usually seen as shortcuts," the company said.
"If the user opens the document, the LNK payload gets launched and initiates the malicious activities in the background. To ensure the user is not suspicious, a decoy document is presented to him/her," it said. LNK is a widely deployed Windows link format that is typically used as a shortcut to launch programs or executables.
"Once the LNK file is launched, it downloads the HTA payload from a compromised domain and executes it via mshta.exe. This HTA file is responsible for showing the decoy document to the user. In addition, it drops an executable of LimShell on disc and executes it."
The consultant also said most of the backdoors used in this campaign are variants of NJRat, a remote access tool (RAT) or trojan which allows the holder of the programme to control the end-user's computer.
The cybersecurity consultant found that the command and control servers were from Pakistan.
"Upon thorough analysis of the attack chain, the command-and-control (C2) server communication, and the available telemetry data, researchers at Seqrite (the security consultant) could identify some compromised websites that are being used to host the attack scripts and act as C2 servers.
"Further analysis of data accessible from some C2 servers led researchers at Seqrite to an IP address that was commonly found across different C2 servers. In fact, this IP address turned out to be the first entry in many logs, which indicated that the corresponding system is likely being used for testing the attack before launch.
Further investigation of that IP, it said, revealed that the provider of that IP address is Pakistan Telecommunication Company Limited.
"This revelation further strengthens the claim that Operation SideCopy which is operated by the Transparent Tribe group is originating in Pakistan. The report further revealed the list of targets that were identified through the analyzed C2s. These targets include Critical Infrastructure PSUs from telecom, power, and finance sectors.
"This is likely only a subset of targets since there are several other C2s being used in Operation SideCopy APT, which are probably targeting other entities," it noted.
Seqrite alerted the government authorities and are working with them to keep potential targets safe, Pentapostagma further reported.