27th September 2021, Kathmandu
Cyberattacks and malicious campaigns are increasing in a rapid way. According to research from Cisco Talos shows a cyber-campaign, tracked as Armor Piercer, targeting the government and defense sector in India with Remote Access Trojans-NetwireRAT and WarzoneRAT. The campaign was found to be spreading malicious documents to deploy RATs and access sensitive information and data.
NetwireRAT and WarzoneRAT have a variety of capabilities, including:
- Execute arbitrary commands
- Gather system information
- Stealing credentials from browsers
- File management operations such as write, copy, read, delete files, etc.
- Keylogging
- Remote desktop
- Enumerate, terminate processes
- Credential stealing from email clients browsers
- Webcam capture
- Reverse shells
Armor Piercer’s Phishing Campaign
The campaign is active since 2020 and performing phishing attacks by tricking employees related to Kavash. Kavash is a two-factor authentication (2FA) app operated by India’s National Informatics Center (NIC), the government personals are using it to access their emails. Armor Piercer was found using hacked websites and fake domains to host their malware payloads. It used various phishing techniques to attack and compromise systems.
Armor Piercer Attack Vector
Armor Piercer operators distributed their malware payloads through different phishing techniques to the targeted employees or guides in the form of malicious Microsoft Office documents and archives. When a victim downloads the malicious document it automatically downloads a loader which deploys the final RAT payload on the targeted system.
According to Vishak Raman, Director, Security Business, Cisco India and SAARC said, ‘’ Operation Armor Piecer is a grim reminder of the vulnerabilities still existing in the security posture. For end-to-end security, the government must implement a layered defense strategy that provides security to the system for the protection of people and assets.