In a recent report, cybersecurity researchers at SEQRITE Labs have identified an operation called RusticWeb, in which threat actors are using PowerShell commands to exfiltrate confidential documents. This operation has similarities to tactics used by Pakistan-linked APT groups, such as APT36 and SideCopy, but it also incorporates new languages like Golang, Rust, and Nim to evade detection. The operation primarily targets Indian government officials associated with children’s foundations or societies.
The RusticWeb operation begins with spear-phishing attacks, using an archive file named ‘IPR\_2023-24’ to trigger PowerShell to download scripts from the rb[.]gy domain. The infection chain involves the use of fake domains and encrypted PowerShell scripts. In one scenario, decoy files are downloaded from a fake domain ‘parichay.epar[.]in,’ while in another scenario, the fake domain mimics ‘parichay.nic[.]in,’ an Indian Government SSO platform. The PowerShell commands are decrypted using techniques similar to Emotet, and the decrypted commands download decoy files and next-stage scripts from domains, executing them in the Downloads and Documents directories.
The RusticWeb operation is concerning because it demonstrates the use of PowerShell commands to bypass security measures and exfiltrate sensitive information. It also highlights the need for organizations and individuals to remain vigilant and implement necessary security precautions to protect against advanced cyber attacks.