Cisco Talos recently discovered a malicious campaign targeting government employees and military personnel in India with two commercial and commodity RAT families known as NetwireRAT (aka NetwireRC) and WarzoneRAT (aka Ave Maria).
In a recent blog post, Cisco Talos has published its findings on how Armor Piercer distributes malicious documents to deliver Remote Access Trojans (RATs) and gain access to highly confidential information related to government and defence agencies.
The lures used in this campaign are predominantly around operational documents pertaining to “Kavach”, a two-factor authentication (2FA) app operated by India’s National Informatics Centre (NIC) and used by government employees to access their emails. It utilizes compromised websites and fake domains to host malicious payloads, another tactic similar to Transparent Tribe.
The earliest instance of this campaign was observed in December 2020, utilizing malicious MS Office documents, known as maldocs, disguised as security advisories, meeting schedules, software installation guides, etc.
As with all advanced threats that are rapidly becoming more sophisticated, this campaign was found to be using multiple techniques and evolved to obfuscate itself and remain in the victim’s environment, evading standard detection techniques – it continues to operate even today.
Armour Piercer illustrates another instance of a highly motivated threat actor using a set of RAT families to infect their victims. These RATs are packed with many out-of-the-box features to gain complete control over the infected systems. The use of RATs makes it challenging to track down the threat actors behind it. In addition, since July 2021, Talos researchers have observed the deployment of file enumerators alongside RATs, indicating that the attackers are expanding their arsenal to target their victims.
This is just one example of the rapidly expanding threat landscape that is simultaneously becoming far more complex. In response, every company across sectors is rethinking their cybersecurity posture.
Commenting on how organizations can strengthen their threat detection and response, Vishak Raman, Director, Security Business, Cisco India and SAARC, shares, “Operation Armor Piercer is a grim reminder of the vulnerabilities still existing in our cybersecurity posture. To ensure end-to-end security of India’s most precious assets and information, government and defence agencies must implement a layered defence strategy that enables comprehensive visibility and coverage across all endpoints, accelerates response by leveraging automation and orchestration to enrich data, and reduces massive data sets into actionable insights through AI/ML and data analytics. Essentially, security must not be bolted on, rather built into every system and process to ensure infallible protection of people and assets.”
Cisco Talos’ blog on the threat campaign Armor Piercer as well as the Necessary Indicators of Compromise (IOCs) are available here.
Next Steps: Remediating ‘Armor Piercer’
This campaign has been ongoing since the end of 2020 and continues to operate today. Use of RATs makes it difficult to attribute and to track down threat actors behind it. Since July 2021, Talos researchers have observed deployment of file enumerators alongside RATs. This indicates that the attackers are expanding their arsenal to target their victims: defence and government personnel in India.
How to protect your organization from such threat campaigns?
There is no ‘one solution’ to defend against modern cyber threats. Layered defence with the following characteristics helps to apply a highly effective cyber defence strategy.
Long Term Steps
- Expand visibility – Comprehensive coverage across attack surface – Endpoint, Email, Web, Network, Cloud, Data & Apps is necessary
- Reduce data – Apply AI/ML analytics to reduce massive data sets to actionable insights
- Accelerate response – Utilize automation and orchestration to enrich data, apply context across threat defence tools, avoiding siloes.
Tactical Steps (Short Term)
- Continuous monitoring using an EDR – Prevent, Detect and Respond to threats using suitable Endpoint Detection and Response tools. Utilize Managed EDR and Threat Hunting services to augment for skillset gaps inhouse. Choose to use automated actions to contain threats as and when discovered using relevant playbooks.
- Email Security – Email is the no.1 threat vector to-date; an attack vector most threat campaigns use for spear-phishing its victims and to deliver malicious payloads. Utilize an email security solution agnostic to mail delivery solutions combined with advanced threat and phishing protection capabilities.
- Use an Adaptive MFA to protect email accounts from account compromise/takeover. Extend this capability across enterprise to enable zero trust access control across organizations application footprint.
- DNS & Web Security – All things on the Internet starts with Recursive DNS; The first layer of defence for cyber security attacks. Cascade DNS Security capability with Web Security to prevent access to CnC call-backs, Phishing and Malware domains, scanning for malicious downloads etc. Monitor shadow IT usage and scan for malware in clouds beyond on-prem DC.
- Security Analytics and Network Detection & Response – Detect insider threats using ML-based behaviour anomaly detection tools. Identify and contain zero-day threats and malware in encrypted payloads missed by other layered defence tools
- XDR – Too many alerts and alarms leads to alert fatigue. Choose a right XDR tool that integrates well with above security control points seamlessly, delivering visibility, threat investigation and automated response from a unified platform.