Cisco Talos recently discovered a threat actor that uses political and government themed tactics to target entities in India and Afghanistan.
The attacks were recognised to target Windows devices through malicious documents, exploiting a certain memory corruption vulnerability present in Microsoft Office, codenamed CVE-2017-11882.
“We assess with high confidence that the threat actor behind these attacks is an individual operating under the guise of a Pakistani IT firm called ‘Bunse Technologies’,” said the Talos Report.
Talos said that the actor appeared to be a lone wolf, meaning the actor worked alone and wasn’t in the pursuit of money. They used a Crimeware campaign (to establish initial footholds into high-value operations, potentially for future operations or for monetary gain.
The malicious campaign was observed to consist of two phases, a reconnaissance phase that tracks and numbers the file it wants to infect, and an attack phase that deploys a variety of RAT (remote access trojans).
These RATs are known to be packed with multiple functionalities with the aim of achieving complete control on the end-point of the victim.
As mentioned, they are capable of preliminary reconnaissance, arbitrary command execution along with data exfiltration.
Talos added that these families of RAT also acted as perfect launch pads for deploying additional malware.
The threat actor also does not need to know the development cycle to create custom malware, as these malware have out-of-the-box features which need minimal configuration changes.
The report added that the module in question indicated an intent to proliferate deeper and get access to trusted documents, aiming for a greater degree of infection.
The malware allegedly tries to steal login data from famous browsers such as Google Chrome, Opera, Opera GX, Microsoft Edge, Mozilla Firefox and Yandex Browser.