Researchers have uncovered a brand new espionage marketing campaign focusing on Indian authorities businesses and the nation’s power trade with a modified model of an open-source data stealer referred to as HackBrowserData that may acquire browser login credentials, cookies and historical past.

Researchers at Dutch cybersecurity firm EclecticIQ discovered the marketing campaign in early March however didn’t attribute it to a particular menace actor. According to their analysis, printed Wednesday, the hackers exfiltrated 8.81 GB of knowledge from victims. This information may help additional intrusions into the Indian authorities’s infrastructure, the analysts stated.

The data stealer was delivered to its victims by way of a phishing PDF doc disguised as an invite letter from the Indian Air Force. Researchers counsel that the unique PDF file was very possible stolen throughout a earlier intrusion and was repurposed by the attackers.

The doc itself appeared innocent however included a shortcut — a LNK file — pointing to the malware. Once executed, the malware instantly started exfiltrating paperwork and cached internet browser information from the sufferer’s system to channels on the office app Slack. The stolen data included inner paperwork, personal e mail messages and cached internet browser information.

EclecticIQ analysts dubbed this marketing campaign “Operation FlightNight” as a result of every of the attacker-operated Slack channels was named “FlightNight.”

During information exfiltration the malware is designed to focus on solely particular file extensions, reminiscent of Microsoft Office paperwork (Word, PowerPoint, Excel), PDF information, and SQL database information on sufferer units, very more likely to improve the pace of the information theft. 

The victimized authorities entities included Indian businesses answerable for digital communications, IT governance and nationwide protection. From the personal power corporations, the hackers exfiltrated monetary paperwork, private particulars of workers and particulars about drilling actions in oil and fuel.

Although the hacker group behind this marketing campaign wasn’t recognized, the similarities within the malware and the supply approach’s metadata “strongly indicate” a reference to an attack reported earlier in January when cybercriminals focused Indian Air Force officers with a credential stealer malware referred to as GoStealer.

During that marketing campaign, the delivered malware was a variant of a GoStealer, based mostly on open-source malware discovered on GitHub. It focused a wide range of browsers — Firefox, Google Chrome, Edge, and Brave — and exfiltrated information utilizing Slack.

According to EclecticIQ, each campaigns are possible the work of the identical menace actor focusing on Indian authorities entities.

“Operation FlightNight and the Go-Stealer campaign highlight a simple yet effective approach by threat actors to use open-source tools for cyber espionage,” researchers stated.

Learn more.