Indian Government Entities and Energy Sector companies recently suffered malware attacks from unknown threat actors. A modified version of the open-source information stealer HackBrowserData was used to target these companies to steal sensitive information.
Hackers used phishing email, masquerading as an invitation letter from the Indian Air Force, to deliver the information stealer.
Researchers at Dutch cybersecurity firm EclecticIQ observed this malware campaign beginning March 7, 2024. The company has also shared its findings with Indian authorities to help them identify victims and take prevention measures.
The threat actor sent a fake invitation letter from the Indian Air Force. The PDF invitation letter was delivered inside an ISO file that also contained malware. Once the ISO is mounted, it executes the LNK file that activates the hidden malware. The malware then starts exfiltrating documents and cached web browser data from the device to Slack channels. The malware was designed to target only specific file extensions including Doc, PPT, XLS, PDF, and SQL.
The alternated version of HackBrowserData used in this campaign has several capabilities including browser data theft, siphoning documents, communicating over Slack, and better evade detection.
This malware campaign was simple, but an effective use of open-source tools. They were smart enough to achieve their target with minimal risk of detection. So, companies should start educating their employees about cyber security threats and improve their security infrastructure to avoid such attacks in the future.
