Posted on July 15, 2022 at 7:13 PM
The tension between Pakistan and India has been taken online after Pakistani threat hackers infiltrated the Indian YouTube News Channel, Tines8, during their live stream. During the hacking incident, a Pakistani flag appeared on the channel, with the statement ‘Respect Holy Prophet (PBUH)’ tickers running on the live stream.
This comes as Muslims around Asia were protesting following blasphemous remarks about Holy Prophet Muhammad, credited to an Indian ruling party BJP official. The situation has further ripped both countries’ diplomatic ties.
More than 20 countries have since called in their Indian ambassadors, with the party going into damage control and suspending the official from its ranks.
Al-Qaeda’s branch in the Indian Subcontinent (AQIS) has also responded to the derogatory remarks, threatening to carry out suicide bombings in Indian states. In response to the threat, New Delhi has tightened security following security information that AQIS could attack the capital, Pradesh, Mumbai, Gujarat, and Uttar.
Pakistani And Indian Hackers In Cyber Face-Off
Pakistani and Indian hackers have been involved in a series of face-offs in recent times. The advanced persistent threat (APT) group called Transparent Tribe has been blamed for an ongoing phishing campaign that targets students at various learning institutions in India. Reports revealed that the campaign started in December 2021.
Security researchers at Cisco Talos stated that the new campaign by the APT could be actively expanding its network of victims which will include civilian users.
The APT group has also been tracked under different pseudonyms, including Mythic Leopard, PROJECTM, Operation C-Major, and APT36. Cisco Talos revealed that the group is suspected to be from Pakistan and has been attaching think tanks and government agencies n Afghanistan and India using custom malware such as CapraRAT, ObliqueRAT, and CrimsonRAT.
The APT Group Is Shifting Focus To Other Targets
However, the group’s recent targeting of students and educational institutions shows that it has been deviating from its usual target and looking to explore other areas. The new target was first discovered by India-based K7 Las in May 2022.
“The latest targeting of the educational sector may align with the strategic goals of espionage of the nation-state,” the researchers stated. They added that they are now regularly targeting individuals at technical research institutes and universities to maintain long-term access to steal data related to ongoing research projects.
Cisco Talos also documented attack chains by the threat group and discovered that they deliver a maldoc to the targeted systems either through a link or as an email attachment. They do this via spear-phishing mail, which can result in the deployment of CrimsonRAT.
The researchers added that the APT tries rigorously towards achieving the aims through social engineering techniques by deceiving their victims into infecting themselves.
The group designs their emails to look exactly like the emails of major genuine companies the targets may be familiar with. They try everything possible to provide content that looks important and urgent to the target, which can lure them to act as the group wants. Once the targets open the attachment or click on the link, the APT group introduces the malware into their devices. Unfortunately, this malware is designed to evade security checks. This means that they could be infecting the system without the user knowing.
CrimsonRAT, also called Scarimson and SEEDOOR, operates as the major implant of choice for the APT group to set up a long-term access avenue in the victim’s network. The malware can be hidden for several months while stealing data and sending them to the hacker’s control panel (C2).
The Malware Comes With Remote Control Capability
The researchers also pointed out that the malware has a modular architecture that allows threat actors to remotely control the affected device or system. It has several other capabilities including capturing screenshots, recording keystrokes, stealing browser credentials, and executing arbitrary commands.
To make the decoy documents seem genuine, several of them are hosted on education-themed domains that were registered since June last year. Expectedly, the infrastructure is run and operated by a Pakistani web hosting service provider known as Zain Hosting.
The researchers stated that it’s not clear what role Zain hosting is playing in the Transparent Tribe ATP group. However, it could be one of several third parties that the group is using to achieve its hacking activities. It’s also not clear to what extent the domain has been involved in the group’s activities.