top of page
  • Clipeus

RusticWeb Operation Likely Linked To APT36



According to a Seqrite report released on 21 December 2023, beginning in October 2023, Indian government entities, particularly those engaged in defense, have been targeted with a novel Rust-written malware.


The delivery mechanism is consistent with spear-phishing with documents and lures mimicking various Indian government agencies, especially defense-related branches. The observed attachment is a Windows shortcut file named “IPR_2023-24” disguised as a PDF.

Upon opening the malicious shortcut file, PowerShell is activated to download and execute a script from the link shortener rb[.]gy using Invoke-WebRequest. This PowerShell script establishes URL paths for subsequent stage payloads, leading to the placement of a decoy PDF file in the Documents folder. When this decoy PDF file is accessed, it initiates the extraction of an archive containing a Rust-compiled binary with the EXE extension. The Rust-compiled binary then conducts a check on basic system information and proceeds to upload logs to a counterfeit domain.


Persistence is established through the Startup directory for the final payload, which is another Rust-based malware with the objective of stealing files, collecting system information, and uploading both individual files and logs to a specified domain.


Based on victimology and TTPs overlap, the campaign has been attributed to APT36, a threat actor believed to be sponsored by the Pakistani government, primarily targeting Indian government entities.

Recent Posts

See All

AcidPour Wiper Targets Linux Devices in Ukraine

A new iteration of the AcidRain wiper malware, dubbed AcidPour, has been identified by SentinelOne's threat intelligence division, SentinelLabs. AcidRain, linked to Russian military intelligence, gain

Comments


Commenting has been turned off.

If you are interested in specifics or additional insights on the threats above or any other threat, please visit our dedicated service page or reach out to info@clipeusintelligence.com with your inquiry. We would be glad to assist you

bottom of page