Unveiling the Cyber Threat Landscape: Seqrite’s Findings on APTs Targeting Indian Government Entities

In an era where digital threats loom larger than ever, Seqrite, the enterprise arm of Quick Heal Technologies Limited, has made a significant breakthrough in understanding the evolving landscape of cyber threats. Their latest research reveals a series of sophisticated cyber campaigns targeting critical Indian government entities, particularly in the defense and infrastructure sectors. These advanced persistent threats (APTs), linked to multiple Pakistan-based threat actors, mark a concerning escalation in cyber operations against India.

The Research Behind the Findings

Conducted by the APT team at Seqrite Labs—India’s largest malware analysis facility—the investigation uncovered a complex web of interconnected APT groups, including Transparent Tribe (APT36), SideCopy, and RusticWeb. The research indicates that these groups have begun sharing infrastructure, tactics, and malware components, suggesting a level of coordination that has not been previously observed among these actors. The campaigns specifically targeted vital assets such as the Indian Air Force, shipyards, and ports, highlighting a clear focus on India’s strategic infrastructure.

Key Discoveries: Shared Infrastructure and Malware

One of the most alarming findings from Seqrite’s investigation was the discovery of open directories hosting malware linked to both Transparent Tribe and SideCopy. Researchers identified a single domain that hosted payloads for both groups, targeting Windows and Linux environments. This overlap, along with shared command and control (C2) infrastructure, strongly indicates a convergence of operations among these previously distinct threat actors.

The sophistication of these campaigns is underscored by the advanced evasion techniques employed by the attackers. For instance, SideCopy utilized updated HTML Application (HTA) files, akin to those used by the SideWinder APT group, to evade detection. The group also introduced new payloads, including a tool named Cheex for document and image theft, a USB copier for exfiltrating files from attached drives, and deployments of FileZilla application and SigThief scripts.

Novel Malware Variants and Techniques

Seqrite’s analysis revealed several novel malware variants that further complicate the threat landscape. A new .NET-based payload, dubbed Geta RAT, was identified, incorporating browser-stealing functionality from Async RAT. Another variant, Action RAT, was observed being side-loaded by charmap.exe, deviating from previously used system binaries. Additionally, Transparent Tribe was found utilizing a Golang-based downloader targeting Linux systems, fetching a final payload named DISGOMOJI, which exhibited infrastructure links to SideCopy.

The APT groups also demonstrated sophisticated social engineering tactics, leveraging themes such as salary increments, naval project reports, and government documents as lures. Many of these decoys were based on publicly available documents, showcasing the attackers’ efforts to create convincing pretexts for their phishing campaigns. This convergence of tactics among these APT groups signifies a notable evolution in the cyber threat landscape facing India.

Technical Analysis and Evasion Techniques

Seqrite’s research team conducted an in-depth technical analysis of the malware used in these campaigns. They discovered that attackers were testing their stager evasion against antivirus solutions at locations in Pakistan. Concurrently, victim traffic from India, typically observed from C2 servers in Germany, was being routed through IPsec protocol from Pakistani IP addresses, as corroborated by Team Cymru.

The reach of these campaigns was extensive, with Transparent Tribe’s Poseidon malware targeting Linux platforms using themes such as ‘Posting/Transfer under Ph-III of Rotational Transfer’ and ‘Blacklist IP Address with TLP & Dates’. The group was also observed using Crimson RAT with ‘Uttarakhand Election Result’ and ‘TDS Claim Summary’ baits, further illustrating the attackers’ strategic targeting.

Recommendations for Enhanced Cybersecurity

In light of these findings, Seqrite strongly advises organizations to implement comprehensive security measures. Key recommendations include:

1. Deploying and Maintaining Up-to-Date Antivirus and Anti-Malware Solutions: Regular updates are crucial to protect against evolving threats.

2. Implementing Strong Authentication Mechanisms: Multi-factor authentication can significantly reduce the risk of unauthorized access.

3. Conducting Regular Security Awareness Training: Educating employees about phishing and social engineering tactics can help mitigate risks.

4. Ensuring Prompt Updates of Systems and Software: Keeping systems updated is essential for closing vulnerabilities.

5. Implementing Network Segmentation and the Principle of Least Privilege: These strategies can minimize the potential impact of a breach.

Seqrite’s research team has provided detailed indicators of compromise and MITRE ATT&CK mappings to aid organizations in detecting and defending against these threats. The company continues to monitor these threat actors and will provide updates as new information becomes available.

About Seqrite and Quick Heal Technologies Limited

Seqrite is a leading enterprise cybersecurity solutions provider, dedicated to simplifying cybersecurity for businesses. With a focus on comprehensive solutions powered by AI and machine learning, Seqrite protects organizations against the latest threats across devices, applications, networks, cloud, data, and identity. As the enterprise arm of Quick Heal Technologies Limited, Seqrite has established itself as a trusted partner for over 30,000 enterprises in more than 76 countries.

Quick Heal Technologies Ltd. has been at the forefront of cybersecurity for nearly three decades, developing cloud-based security solutions that effectively mitigate threats before they can cause harm. Their proprietary products, including Quick Heal Antivirus Solutions and the Quick Heal Scan Engine, are designed to meet the diverse needs of consumers, small businesses, and government establishments alike.

For comprehensive protection against emerging cyber threats, visit www.seqrite.com to learn more about Seqrite’s advanced enterprise cybersecurity solutions.

In conclusion, the findings from Seqrite’s research underscore the urgent need for heightened cybersecurity measures, particularly for critical infrastructure and government entities in India. As cyber threats continue to evolve, organizations must remain vigilant and proactive in their defense strategies to safeguard against these sophisticated attacks.