Indian government network attacked with an out-of-the-box malicious Trojan purchased from the dark web

It is well known that powerful malware can be purchased on the dark web and used with relative ease. A new report from Cisco's Talos cybersecurity research team illustrates the extent of the danger of out-of-the-box remote access Trojan malware: a campaign called Armor Piercer has been attacking the Indian government since December 2020.

Armor Piercer has many of the characteristics of the Advanced Persistent Threat (APT) group known as APT36 or Mythic Leopard, which is believed to operate out of Pakistan. In particular, the report cites decoys and tactics that are "very similar" to the type used by Mythic Leopard.

On the other hand, the report says the RAT discovered gives the impression that the Armor Piercer campaign may not be a skilled APT attack: "Two commercial RAT families, known as NetwireRAT (aka NetwireRC) and WarzoneRAT (aka Ave Maria)" were found to be behind attacks on the Indian government and military.

"Unlike many crimeware and APT attacks, the campaign uses a relatively simple, straightforward infection chain. The attackers did not develop custom malware or infrastructure management scripts to execute their attacks, but the dark web-purchased RATs used did not reduce the lethality." Talos said in his report.

Talos said RAT that can be purchased on the dark web have a broad feature set, many of which allow full control of infected systems and the ability to establish footholds to deploy additional malware as easily as deploying packages and modules from a GUI dashboard.

As with modern malware campaigns, the Armor Piercer campaign uses a malicious Microsoft Office document for infection. The document comes with malicious VBA macros and scripts, and once opened by an unsuspecting user, it downloads malware loaders from a remote site. The ultimate goal of the installer is to place a RAT on the system, which can maintain access, allowing further infiltration into the network and theft of data.

The RAT used by the attackers behind Armor Piercer has a wide range of capabilities.

The NetwireRAT was able to steal credentials from browsers, execute arbitrary commands, collect system information, modify, delete and create files, enumerate and terminate processes, log keys, and more.

WarzoneRAT is exemplified by its impressive overview of features from Dark Web ads, which can be found in the Talos report linked above. NET-independent, it provides 60FPS remote control of infected computers, hidden remote desktops, UAC bypass elevation of privileges, webcam transfer from infected computers, password recovery from browser and mail applications, live and offline keyloggers, reverse proxies, remote file management, and more.

Off-the-shelf RATs and other malware are not necessarily a sign of laziness, inexperience or a short time to operate. "Off-the-shelf products, such as commodity or cracked RATs and email programs, allow attackers to quickly implement new campaigns while focusing on their key tactic: luring victims to infect themselves." Talos said.

It is not known if this particular attack may be moving outside of India, or if similar tactics are being used elsewhere in the world. The threat of out-of-the-box malware remains, no matter where the organization is located: it's easily available, relatively cheap, and if it's good enough to worm its way into government computer systems, it's likely to do the same thing to yours.