Operation FlightNight: Indian Government Entities and Energy Sector Targeted by Cyber Espionage Campaign

8 months ago 91
BOOK THIS SPACE FOR AD
ARTICLE AD

vulnerability-banner

Executive Summary

Beginning March 7th, 2024, EclecticIQ analysts identified an uncategorized threat actor that utilized a modified version of the open-source information stealer HackBrowserData [1] to target Indian government entities and energy sector.  

The information stealer was delivered via a phishing email, masquerading as an invitation letter from the Indian Air Force. The attacker utilized Slack channels as exfiltration points to upload confidential internal documents, private email messages, and cached web browser data after the malware's execution. EclecticIQ analysts dubbed the intrusion “Operation FlightNight” because each of the attacker-operated Slack channels was named “FlightNight”. 

Analysts identified that multiple government entities in India have been targeted, including agencies responsible for electronic communications, IT governance, and national defense. Moreover, the actor targeted private Indian energy companies, exfiltrated financial documents, personal details of employees, details about drilling activities in oil and gas. 

In total, the actor exfiltrated 8,81 GB of data, leading analysts to assess with medium confidence that the data could aid further intrusions into the Indian government's infrastructure. 

Behavioral similarities in the malware and the delivery technique's metadata strongly indicate a connection with an attack reported on January 17, 2024. [2] EclecticIQ analysts assess with high confidence that the motive behind these actions is very likely cyber espionage.  

EclecticIQ shared its findings with Indian authorities to assist in identifying the victims and helping the Incident Response process.  

Operation NightFlight_1

Figure 1 - Operation FlightNight in EclecticIQ Threat Intelligence Platform
(click on image to open in separate tab)
.

Invitation Letter Decoy Delivers Information Stealer  

The threat actor used a decoy PDF document, pretending it was an invitation letter from the Indian Air Force. This document was delivered inside an ISO file, which contained the malware in an executable form. Additionally, a shortcut file (LNK) was included to trick recipients into activating the malware. 

Operation NightFlight_2
Figure 2 – Malware infection chain in Operation FlightNight

After victims mounted the ISO file, they encountered the LNK file invitation letter (Figure 3). It appeared to be a harmless PDF document due to its misleading PDF icon. Upon executing the LNK file, victims inadvertently executed a shortcut link that activated the hidden malware [3]. The malware immediately began exfiltrating documents and cached web browser data from the victim's device to Slack channels. 

Operation NightFlight_3

Figure 3 – Machine ID metadata in shortcut file (LNK)

Figure 4 displays the decoy [3] document (Indian Air Force invitation) opened after the execution of LNK file. This strategy aims to deceive individuals into believing they are accessing a genuine document, while allowing the malware to operate covertly. EclecticIQ analysts observed the same PDF document in an attacker-controlled Slack channel where the stolen data was stored. Analysts assess with high confidence that the PDF document was very likely stolen during a previous intrusion and was repurposed by the attacker. 

Operation NightFlight_4

Figure 4Indian Air Force invitation decoy side
with information stealer payload

Figure 5 shows five different overlaps between Operation FlightNight and the Go-Stealer campaign that was previously observed by researcher ElementalX2 on January 17, 2024 [2]. This comparison highlights specific areas of overlap between the two different incidents, offering strong evidence that both campaigns are likely the work of the same threat actor targeting Indian government entities. 

Operation NightFlight_5
Figure 5 – Overlaps between new and earlier malware campaign.

Modified Version of HackBrowserData Utilized as Payload 

The open-source post exploitation tool HackBrowserData has the capability to steal browser login credentials, cookies, and history (list of the targeted web browser can be seen in Appendix A). The threat actor implemented new functionalities, such as communication through Slack channels, document stealing, and malware obfuscation for the evasion.  

Figure 6 shows code similarities between the original HackBrowserData in the GitHub repository [4] and the modified variant that is used in Operation FlightNight. The right side of the image displays the modified version of the malware executing in verbose mode. While extracting cached browser data, it encountered error messages identical to those seen in the original HackBrowserData.

Operation NightFlight_6

Figure 6 – Verbose mode in information stealer showing
code similarity with original HackBrowserData.
 

The malware creates a TXT file named Bkdqqxb.txt in the %TEMP% directory, and uses this file as a mutex to prevent multiple instances from running on the same host. This file name, along with Web Browser names are stored in an encoded format and it is decoded dynamically at the time of the malware's execution. 

Operation NightFlight_7

Figure 7 – Decoded strings in debugger. 

The cached web browser data was stored inside C:\Users\Public\results.zip file path. This file was sent to attacker-controlled Slack channels via files.upload API method [5]. 

Operation NightFlight_8

Figure 8 – ZIP file with browser data in CSV format -
the default format used by original HackBrowserData tool. 

During data exfiltration the malware is designed to target only specific file extensions, such as Microsoft Office documents (Word, PowerPoint, Excel), PDF files, and SQL database files on victim devices, very likely to increase the speed of the data theft. The malware starts to upload identified documents to Slack channels and finalize data exfiltration. Figure 9 shows network traffic during data upload to a Slack server. The threat actor uses the below structure to identify victims trough ID and username:  

Random-Victim-ID ~ File-Path-of-Stolen-Data 

Operation NightFlight_9

Figure 9 – Network traffic during data exfiltration attempt.

Gathering Victimology from FlightNight Slack Channels 

The malware code statically stores four Slack workspace and API keys for controlling the Slack bot communication. EclecticIQ analysts used that information to access the Slack channels and to dump messages containing exfiltrated data. These messages contain a list of victims, file paths of the stolen data, timestamps, and unique URLs for downloading the stolen files. 

Before sending the victim data, the malware tested connectivity over Slack workspaces via auth.test API method [6]. It will return True if successful and get further details about the attacker-operated Slack workspaces dynamically such as bot name, team ID, user ID and bot ID. 

Operation NightFlight_10

Figure 10 – URLs of the Slack workspaces and API token for bots.

Figure 11 shows the details of one example of a Slack message sent by malware. 

Operation NightFlight_11

Figure 11 – Example of the message content in
FlightNight Slack channel.

Open-Source Offensive Tools Used in Cyber Espionage  

Operation FlightNight and the Go-Stealer campaign highlight a simple yet effective approach by threat actors to use open-source tools for cyber espionage. This underscores the evolving landscape of cyber threats, wherein actors abuse widely used open-source offensive tools and platforms to achieve their objectives with minimal risk of detection and investment. Here is a breakdown of the key elements and their implications: 

Modified Open-Source Offensive Tools: By modifying open-source tools, the attackers can use existing capabilities while customizing functionalities to fit their specific needs. This approach not only saves development time and resources but also makes it harder for security measures to detect and attribute the attack.  Utilization of Slack Servers for Data Exfiltration: The actor abused Slack, a popular communication platform for businesses and teams, to steal data. By blending data exfiltration with legitimate Slack traffic, attackers effectively camouflage their activities. This choice reflects a move to exploit the trust and ubiquity of Slack in professional environments, reducing the likelihood of detection.  Reduction of Development Time and Cost: The use of open-source tools and established platforms like Slack minimizes the need for extensive development and infrastructure setup, significantly reducing the cost and time required to launch an attack. This efficiency not only makes it easier for attackers to operate but also lowers the barrier to entry for less skilled individuals to conduct attacks.  Implications for Cybersecurity: The tactics used in Operation FlightNight and the Go-Stealer campaign highlight the importance of intelligence sharing and developing strategies to counteract these evolving threats. Organizations should enhance their security posture through continuous monitoring, adopting behavior-based detection mechanisms, and educating employees about phishing attacks.

Detection & Mitigation Opportunities 

Caching of passwords and auto-completion of usernames used in web browser can be disabled from the Windows Group Policy [7]. Also, two factor authentication (2FA) would prevent unauthenticated access after a potential password exposure.  ISO mounting events can be detected by using Event ID 12 of the Microsoft-Windows-VHDMP-Operational logs or SIGMA rule “file_event_win_iso_file_recent” [8]. Windows Group Policy can be used to block any ISO mounting events in specific devices.   Enable Command-Line Process Auditing to detect LNK file executions. LNK file execution often results in the creation of a new process with a command line that includes the path to the LNK file and malware.  Repetitive or large number of outbound network traffic to unknown Slack channels should be considered a network anomaly, affected devices and users should be contained from the network to avoid further data exfiltration. 

IOCs (Indicator of compromise) 

Operation FlightNight Camping 

SHA-256 Hash: 

4455ca4e12b5ff486c466897522536ad753cd459d0eb3bfb1747ffc79a2ce5dd  69c3a92757f79a0020cf1711cda4a724633d535f75bbef2bd74e07a902831d59  0ac787366bb435c11bf55620b4ba671b710c6f8924712575a0e443abd9922e9f 

Command and Control Servers: 

solucionesgeofisicas.slack[.]com  swiftrecruiters.slack[.]com  telcomprodicci.slack[.]com  alfarabischoolgroup.slack[.]com 

GoStealer Camping 

SHA-256 Hash: 

a811a2dea86dbf6ee9a288624de029be24158fa88f5a6c10acf5bf01ae159e36  4fa0e396cda9578143ad90ff03702a3b9c796c657f3bdaaf851ea79cb46b86d7  4a287fa02f75b953e941003cf7c2603e606de3e3a51a3923731ba38eef5532ae  dab645ecb8b2e7722b140ffe1fd59373a899f01bc5d69570d60b8b26781c64fb 

Command and Control Server: 

tucker-group.slack[.]com 

MITRE TTPs

Exfiltration Over Web Service - T1567  Steal Web Session Cookie - T1539  Browser Information Discovery - T1217  Application Layer Protocol: Web Protocols - T1071.001  File and Directory Discovery - T1083  Phishing: Spearphishing Link - T1566.002  Masquerading: Masquerade File Type - T1036.008  Deobfuscate/Decode Files or Information - T1140  User Execution: Malicious File - T1204.002

Appendix A 

List of the targeted web browser:  

Google Chrome  Google Chrome Beta  Chromium  Microsoft Edge  360 Speed  QQ  Brave  Opera  OperaGX  Vivaldi  Yandex  CocCoc  Firefox  Firefox Beta  Firefox Dev  Firefox ESR  Firefox Nightly  Internet Explorer  

Structured Data

Find this and other research in our public TAXII collection for easy use in your security stack: https://cti.eclecticiq.com/taxii/discovery.

Please refer to our support page for guidance on how to access the feeds.

About EclecticIQ Intelligence & Research Team

EclecticIQ is a global provider of threat intelligence, hunting, and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence & Research Team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.

You might also be interested in

WikiLoader Delivery Spikes in February 2024

10 Steps to Building a Comprehensive CTI Practice

Advanced Cybercriminals Rapidly Diversify Cyberattack Channels Following Public Vulnerability Disclosure

References

[1] ᴍᴏᴏɴD4ʀᴋ, “HackBrowserData.” Apr. 28, 2023. Accessed: Apr. 28, 2023. [Online]. Available: https://github.com/moonD4rk/HackBrowserData  

[2] “GoStealer: Golang-based credential stealer targets Indian Airforce Officials. | Dev | Disassemble | Debug.” Accessed: Mar. 13, 2024. [Online]. Available: https://xelemental.github.io/Golang-based-credential-stealer-targets-Indian-Airforce-Officials/  

[3] “VirusTotal - File - 64aff0e1f42f45458dcf3174b69d284d558f7dac24a902438e332e05d0d362ef.” Accessed: Mar. 15, 2024. [Online]. Available: https://www.virustotal.com/gui/file/64aff0e1f42f45458dcf3174b69d284d558f7dac24a902438e332e05d0d362ef  

[4] “HackBrowserData/browser/browser.go at ec10278f65c46a9834b4bd88ca2d1b359849feb1 · moonD4rk/HackBrowserData · GitHub.” Accessed: Mar. 19, 2024. [Online]. Available: https://github.com/moonD4rk/HackBrowserData/blob/ec10278f65c46a9834b4bd88ca2d1b359849feb1/browser/browser.go#L47  

[5] Slack, “files.upload API method,” Slack API. Accessed: Mar. 13, 2024. [Online]. Available: https://slack.com/methods/files.upload  

[6] Slack, “auth.test API method,” Slack API. Accessed: Mar. 13, 2024. [Online]. Available: https://slack.com/methods/auth.test  

[7] “Secure Web Browsers by Group Policy Chrome, Firefox, OS X, MS Edge,” Delinea. Accessed: Mar. 19, 2024. [Online]. Available: https://delinea.com/blog/securing-web-browsers-through-group-policy  

[8] “sigma/rules/windows/file/file_event/file_event_win_iso_file_recent.yml at master · SigmaHQ/sigma · GitHub.” Accessed: Mar. 19, 2024. [Online]. Available: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml  

Read Entire Article