A sophisticated cyber espionage attack targeting the Indian Air Force has come to light. The cyberattack on the Indian Air Force involves a variant of the notorious Go Stealer, a malicious software designed to stealthily extract sensitive information.
The malware, distributed through a cunningly named ZIP file, “SU-30_Aircraft_Procurement,” takes advantage of recent defense procurement announcements, notably the approval of 12 Su-30 MKI fighter jets by the Indian Defense Ministry in September 2023.
Cyberattack on the Indian Air Force
According to Cyble Research and Intelligence Labs (CRIL), the modus operandi of this cyber threat unfolds through a series of carefully orchestrated steps. The attackers employ an anonymous file storage platform called Oshi to host the deceptive ZIP file, disguising it as critical defense documentation. The link, “hxxps://oshi[.]at/ougg,” likely circulates through spam emails or other communication channels.
The sequence of infection involves the progression from a ZIP file to an ISO file, followed by a .lnk file, culminating in the deployment of the Go Stealer payload. The attackers strategically exploit the mounting tension surrounding defense procurement to lure Indian Air Force professionals into unwittingly triggering the malware.
Technical Analysis of the Go Stealer
The identified Go Stealer variant, distinct from its GitHub counterpart, boasts advanced features that elevate its threat level. It is coded in the Go programming language and inherits its base from an open-source Go Stealer available on GitHub. This variant, however, introduces enhancements, including an expanded scope for browser targeting and a novel method of data exfiltration through Slack.
Upon execution, the stealer generates a log file in the victim’s system, utilizing GoLang tools such as GoReSym for in-depth analysis. The malware is meticulously designed to extract login credentials and cookies from specific internet browsers, namely Google Chrome, Edge, and Brave.
The targeted approach signifies a strategic intent to gather precise and sensitive information from Indian Air Force professionals.
Data Exfiltration and Covert Communications
Unlike conventional information stealers, this variant displays a heightened sophistication by leveraging the Slack API for covert communications. The choice of Slack as a communication channel aligns with the platform’s widespread use in enterprise networks, enabling malicious activities to seamlessly blend with regular business traffic.
The Go Stealer variant introduces a function named “main_Vulpx” designed explicitly for uploading stolen data to the attacker’s Slack channel. This evolution in tactics allows threat actors to maintain communication and receive pilfered data discreetly.
The identified Go Stealer, disseminated through the deceptive ZIP file named “SU-30_Aircraft_Procurement,” poses a large threat to Indian Defense Personnel.
The timing of the attack, coinciding with the Indian Government’s announcement of the Su-30 MKI fighter jets procurement, raises concerns about targeted attacks or espionage activities.
This variant of Go Stealer showcases a level of sophistication not observed in its GitHub counterpart, featuring expanded browser targeting capabilities and leveraging Slack for data exfiltration.
The strategic focus on selectively harvesting login credentials and cookies from browsers highlights the threat actor’s intent to acquire precise and sensitive information from Indian Air Force professionals.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
