Cyberattacks and malware campaigns against India and its neighboring countries have increased exponentially. Recently, security experts Cisco Talos uncovered a new malware campaign targeting organizations in India and Afghanistan by exploiting a 20-year-old vulnerability in Microsoft Office. Tracked as Lone Wolf, the campaign reportedly deployed a series of commodity remote access trojans (RATs) to obtain full control over the compromised endpoints.
Lone Wolf Attack Phases
The researchers observed Lone Wolf targeting entities in India and Afghanistan by leveraging malicious RTF documents that deploy a variety of commodity malware to victims. Lone Wolf campaign attacks occur in two phases:
- A reconnaissance phase that involves a custom file enumerator and infector to the victims
- An attack phase that deploys a variety of commodity RATs, such as DcRAT and QuasarRAT, on the targeted devices
How Lone Wolf Attacks
The Lone Wolf operators were found using political and government-themed malicious domains to target the victims. They deployed dcRAT and QuasarRAT Trojans on targeted Windows via malicious documents by exploiting CVE-2017-11882 — a memory corruption vulnerability in Microsoft Office. They also created a Lahore-based fake IT firm called Bunse Technologies as a front to carry out their malicious activities.
The campaign also used malicious RTF documents, PowerShell scripts, and C# downloader binaries to distribute malware, while displaying decoy images to victims to appear legitimate.
“This campaign is a classic example of an individual threat actor employing political, humanitarian, and diplomatic themes in a campaign to deliver commodity malware to victims. Commodity RAT families are increasingly being used by both crimeware and APT groups to infect their targets. These RATs are packed with multiple functionalities to achieve complete control over the victim’s endpoint — from preliminary reconnaissance capabilities to arbitrary command execution and data exfiltration. These families also act as excellent launch pads for deploying additional malware against their victims. Furthermore, these out-of-the-box features enable the attackers to make minimal configuration changes to the RATs, taking away the need for a full-fledged development cycle of custom malware by an actor,” the researchers said.
Increased Use of Commodity RATs
There has been a surge in the use of commodity RATs in recent times. Microsoft recently discovered a campaign targeting airline, cargo, and travel industries, which delivers RAT payloads via spear phishing emails.
In the past few months, Microsoft has been tracking a dynamic campaign targeting the aerospace and travel sectors with spear-phishing emails that distribute an actively developed loader, which then delivers RevengeRAT or AsyncRAT. pic.twitter.com/aeMfUUoVvf
— Microsoft Security Intelligence (@MsftSecIntel) May 11, 2021