Cyber Espionage Attack On The Indian Air Force: Go-Based Infostealer Exploits Slack For Data Theft – Cyble

Key Takeaways

  • Cyble Research and Intelligence Labs (CRIL) identified a Go Stealer variant potentially targeting the Indian Air Force.
  • The malware payload is distributed through a ZIP file named “SU-30_Aircraft_Procurement,” which is hosted on Oshi, an anonymous file storage.
  • In September 2023, the Indian Defense Ministry approved the procurement of 12 Su-30 MKI fighter jets as part of its ongoing defense modernization efforts.
  • The Threat Actor (TA) appears to be exploiting this event to target Indian Air Force professionals.
  • The sequence of infection in the attack involves a progression from a zip file to an ISO file, followed by a .lnk file, ultimately leading to the deployment of a stealer payload.
  • This stealer is a variant of a Go Stealer present on GitHub. However, it includes additional features like targeting more browsers and data exfiltration using Slack. Unlike other stealers that target a variety of applications, this stealer focuses specifically on harvesting login credentials and cookies from four browsers.
  • Attributing this campaign to a specific Threat Actor (TA) or group is challenging due to the limited information available at the moment.

CRIL has uncovered a Go Stealer possibly targeting the Indian Air Force. This malware is propagated through a ZIP file named “SU-30_Aircraft_Procurement”. The ZIP file is hosted on Oshi (hxxps://oshi[.]at/ougg), an anonymous file storage platform and the Threat Actor (TA) could potentially be distributing this link via spam email or similar channels.

It is worth noting that in September 2023, the Indian defense ministry approved a project to acquire 12 Su-30 MKI fighter jets. The Threat Actor (TA) seems to be leveraging this notification as a means to create bait to target professionals within the Indian Air Force. The Threat Actor (TA) behind this attack is currently unknown due to the limited availability of information. The attack unfolds in a sequence involving a ZIP file, an .iso file, a .lnk file, and, ultimately, the deployment of the stealer payload. The figure below shows the infection chain.

Figure 1 Infection Chain 1
Figure 1 – Infection Chain

This stealer has been identified as a variant of a Go Stealer that is available on GitHub, which distinguishes itself by incorporating additional functionalities. These include an expanded capacity to target multiple browsers and the capability for data exfiltration via Slack. This technique is not new, as it was also reported in 2021, when a suspected Iranian state-sponsored group, identified as ITG17 or ‘MuddyWater,’ utilized the Slack API for covert communications.

Compared to other stealers that cast a wider net by targeting various applications like chat platforms and cryptocurrency wallets, this specific stealer has a narrower, more specific focus. It is designed to exclusively pilfer login credentials and cookies from four specific browsers. The streamlined and targeted nature of this malware suggests a tactical approach aimed at acquiring specific sensitive information from the infected systems.

Technical Analysis

Initial Infection

The malware infection is orchestrated from a link “hxxps://oshi[.]at/ougg”, which downloads a malicious ZIP file named “SU-30_Aircraft_Procurement.zip”. Usually, such links are shared over spam emails or chat mediums. This ZIP file consists of an ISO file, “SU-30_Aircraft_Procurement.iso”. After being mounted, the ISO displays a shortcut file (.lnk) named “Air HQ PR Policy.lnk,” which, upon execution, triggers the following command:

  • C:WindowsSystem32cmd.exe /c start /B .temp.tmp.exe & .tempsample.pdf

This command initiates the execution of a Go stealer executable named “.tmp.exe” in the background. Concurrently, a decoy PDF file, “sample.pdf”, is displayed, presumably to divert the attention of the user. The figure below shows the decoy PDF.

Though there is a discrepancy between the file name (“SU-30_Aircraft_Procurement”) and the actual content of the decoy PDF (“AIR HEADQUARTERS HUMAN RESOURCE POLICY”), it is clear that there is a deliberate attempt by the Threat Actor (TA) to target Indian Air Force personnel.

Figure 2 Decoy PDF
Figure 2 – Decoy PDF

Stealer Payload

The stealer payload is a 64-bit executable coded in the Go programming language. Over the course of our investigations, we determined that this stealer is based on the source code of an open-source Go stealer present on GitHub. The following GitHub URL is present in the stealer binary.

Figure 3 Go Stealer Strings
Figure 3 – Go Stealer Strings

The code for the credential stealer, accessible on GitHub, is tailored specifically for Firefox and Chrome browsers with the aim of stealing login credentials and cookies. Equipped with features such as cookie extraction, the stealer generates a JSON file to store the stolen data. Notably, the code lacks any provisions for data exfiltration. The GitHub repository showcasing this stealer is depicted in the figure below.

Figure 4 GitHub Repository
Figure 4 – GitHub Repository

The stealer used in this attack didn’t replicate, complicating the debugging process. To address this, we utilized GoReSym, a tool released by Mandiant. GoReSym parses Go symbol information and embedded metadata, facilitating the analysis of stripped Go binaries. The figure below shows the type of name and package names dumped by the GoReSym.

Figure 5 GoReSym Output
Figure 5 – GoReSym Output

Code Analysis

Upon execution, the stealer generates a log file named “Vujdkda.txt” in the %temp% directory of the victim’s system. It utilizes the OS package in GoLang to retrieve the location of the temporary directory and then appends the filename to create the log file successfully. The code snippet below illustrates the process of generating a file in the %temp% directory. Notably, we observed the absence of this code in the Go Stealer code available on GitHub.

Figure 6 Creating File in the Temp Directory
Figure 6 – Creating File in the Temp Directory

The stealer then retrieves the path to the %APPDATA% directory by utilizing the OS.Getenv() function, which fetches the environment variable. This variable typically holds the path to the Application Data directory on Windows. Following this, the stealer appends the directory names “Mozilla”, “Firefox”, “Profiles”, and the filename “keys4.db” to create the complete path.

Upon constructing the path, the function checks for the existence of this directory. Furthermore, it searches for additional files that Firefox commonly employs to store sensitive data such as “logins.json” and “cookies.sqlite”. After locating the files, it starts extracting sensitive information, such as login credentials, from the Mozilla Firefox browser.

Figure 7 Locating Sensitive Firefox Files
Figure 7 – Locating Sensitive Firefox Files

Next, the stealer starts converting hexadecimal-encoded strings to raw byte slices. This involves decoding the hexadecimal representation of the data. Then, it performs an XOR decryption on the decoded byte slices. Finally, the decrypted byte slice is converted to plain text strings. The intent behind this decryption is not clear, but we suspect it is used to retrieve a list of processes to kill. The figure below shows the decryption routine.

Figure 8 Decryption Routine
Figure 8 – Decryption Routine

After decrypting the strings, it starts fetching the list of running processes using the getProcessesByName() function and the stealer payload enters a loop. Within this loop, the killProcess() function is iteratively called to terminate processes when a match is found. Although specifically targeted applications are not explicitly mentioned, we suspect that the stealer aims to terminate browsers from which it is stealing data. This suspicion arises from the observation that, before targeting any Chromium-based browser, the stealer fetches the list of current processes and proceeds to terminate the identified application.

Figure 9 Terminating Process
Figure 9 – Terminating Process

This stealer code targets three Chromium-based browsers:

  • Google Chrome
  • Edge
  • Brave

Instead of executing the stealing operation through a single function for Chromium-based browsers, this variant utilizes three distinct functions, each designed for a specific browser. While the original stealer code on GitHub was limited to targeting only Google Chrome, this variant has been upgraded to extend its reach to a wider array of browsers. The figure below shows the browsers targeted by the stealer.

Figure 10 Browsers Targeted by the Stealer
Figure 10 – Browsers Targeted by the Stealer

The stealer features functions like ChromeDumpCookies and ChromeCrackCredentials that respectively fetch and decrypt all cookies or saved credentials from the Chrome browser. Finally, the stolen data is converted to JSON format for exfiltration. The figure below shows the code for stealing data from Chrome.

Figure 11 Stealing Data from Chrome Browser
Figure 11 – Stealing Data from Chrome

The stealer variant exhibits an enhanced functionality for data exfiltration compared to the code available on GitHub. This version leverages the Slack API to upload stolen data to the attacker’s Slack channel. The provided Go code snippet introduces a function named main_Vulpx specifically designed for uploading files to Slack, leveraging the go-slack library.

Figure 12 Exfiltration using Slack
Figure 12 – Exfiltration using Slack

Conclusion

The identified Go Stealer, disseminated through a ZIP file named “SU-30_Aircraft_Procurement,” poses a potential threat to Indian Defense Personnel. It is worth noting that the timing, which coincides with the Indian Government’s announcement of the Su-30 MKI fighter jets procurement, raises questions about possible targeted attacks or espionage.

This variant of Go Stealer is distinct from its GitHub counterpart as it introduces advanced features such as expanded browser targeting and data exfiltration via Slack. The choice of Slack for covert communications takes advantage of the platform’s widespread use in enterprise networks, enabling malicious activities to seamlessly blend with regular business traffic.

Unlike conventional stealers, which cast a wider net, this malware selectively focuses on harvesting login credentials and cookies from browsers. The targeted nature of the attack underscores the threat actor’s intent to gather precise and sensitive information from Indian Air Force professionals.

Our Recommendations

  • The initial infiltration for malicious zip files takes place via malicious links. It is crucial to only download files from well-known and trusted sources and avoid opening emails from unknown senders.
  • Deploy strong antivirus and anti-malware solutions to detect and remove malicious executable files.
  • Enhance the system security by creating strong, distinct passwords for each of the accounts and, whenever feasible, activate two-factor authentication.
  • Regularly back up data to guarantee the ability to recover it in case of an infection and keep users informed about the most current phishing and social engineering methods employed by cybercriminals.

MITRE ATT&CK® Techniques

Tactic  Technique ID Technique Name
Initial Access (TA0001) Phishing(T1566) Uses malicious links to spread the ZIP archive.
Execution  (TA0002) User Execution (T1203) User opens the malicious Shortcut file
Defense Evasion (TA0005) Deobfuscate/Decode Files or Information (T1140) Stealer payload consists of encrypted strings.
Defense Evasion (TA0005) Masquerading (T1036) Lnk file launches a decoy PDF and executes the stealer in the background.
Credential Access (TA0006) Credentials from Password Stores: Credentials from web Browsers  (T1555.003) Go Stealer can access browser data of Chrome, Firefox, Brave, and Edge
Discovery (TA0007) File and Directory Discovery (T1083) Go Stealer can discover Application files and directories
Command and Control (TA0011) Application Layer Protocol (T1071) Go Stealer utilizes protocols used for web browsing.
Exfiltration (TA0010) Exfiltration Over Web Service (T1567) Exfiltration using Slack API

Indicators of Compromise (IOCs)

Indicators  Indicator Type  Details 
hxxps://oshi[.]at/ougg URL Malicious URL
4a8efa83fe8cfd8c9e55da2a59210ddf 35fcf115aea46f66693822a5f24ef6be3e3696da d8da224a59f8bb89577cd7d903e9a142197e85041fdc15c9981601351ac84cd5 MD5 SHA1 SHA256 Zip archive
7317ff828f94cc104e93c259025eb465 46bee284a2f3be9b429e014d01b5a30d0821aee9 4fa0e396cda9578143ad90ff03702a3b9c796c657f3bdaaf851ea79cb46b86d7 MD5 SHA1 SHA256 Malicious ISO File
b10a77609b6420cc5247897d741ab41e f956660e3970f293ef44437a0234c4f5588c11f3 a811a2dea86dbf6ee9a288624de029be24158fa88f5a6c10acf5bf01ae159e36 MD5 SHA1 SHA256 Malicious Lnk File
3309ec4eb3d75c9c478fdd50c678e4e8 cea72265caf9b4746d3d925f795e62df24ff7d61 dab645ecb8b2e7722b140ffe1fd59373a899f01bc5d69570d60b8b26781c64fb MD5 SHA1 SHA256 Stealer Payload

Yara Rule

rule Go_Stealer{

meta:

author = “Cyble Research and Intelligence Labs”

description = “Detects Go Stealer Targeting Indian Air Force”

date = “2024-01-16”

os = “Windows”

strings:

$a1  = “github.com/idfp/go-stealer” fullword ascii

$a2  = “main.Cookie” fullword ascii

$a3  = “main.Credential” fullword ascii

$a4  = “slack” nocase

condition:

uint16(0) == 0x5A4D and all of them

}

Source: https://cyble.com/blog/cyber-espionage-attack-on-the-indian-air-force-go-based-infostealer-exploits-slack-for-data-theft/