March 27, 2024 at 12:21PM
Indian government entities and energy companies were targeted by unknown threat actors using a modified version of the HackBrowserData malware, exfiltrating sensitive information through Slack. The operation, codenamed FlightNight, impacted multiple government entities and harvested 8.81 GB of data, including confidential documents and financial records. The attackers repurposed legitimate tools and infrastructure to reduce detection risks.
Based on the meeting notes, the key takeaways are:
1. Cyber Espionage and Data Breach: Indian government entities and energy companies were targeted by unknown threat actors using a modified version of an open-source information stealer malware called HackBrowserData, with exfiltration of sensitive information occurring through the use of Slack as a command-and-control (C2).
2. Campaign Details: The campaign, codenamed Operation FlightNight, utilized Slack channels for exfiltrating confidential internal documents, private email messages, and cached web browser data after the malware’s execution. The targets included multiple government entities in India, as well as private energy companies. Approximately 8.81 GB of data was exfiltrated during the campaign.
3. Attack Chain: The attack chain involved the delivery of a phishing message containing an ISO file (“invite.iso”), which contained a Windows shortcut triggering the execution of a hidden binary (“scholar.exe”) within the mounted optical disk image. Simultaneously, a lure PDF file was displayed to the victim as a decoy, while the malware harvested documents and cached web browser data and transmitted them to an actor-controlled Slack channel named FlightNight.
4. Tool Utilization: The malware, an altered version of HackBrowserData, incorporated capabilities to siphon documents, communicate over Slack, and evade detection using obfuscation techniques. The threat actor utilized freely available offensive tools and repurposed legitimate infrastructure such as Slack to reduce time, development costs, and fly under the radar.
5. Implications: The use of open-source offensive tools and platforms by threat actors highlights the evolving landscape of cyber threats, allowing them to achieve their objectives with minimal risk of detection and investment.
Please let me know if there is anything else you would like to add or if you need further details regarding the meeting notes.