This malware gang plants incriminating evidence on PCs, gets victims arrested

A whole different kettle of phish

For the past decade, unidentified miscreants have been planting incriminating evidence on the devices of human-rights advocates, lawyers, and academics in India seemingly to get them arrested.

That's according to SentinelOne, which has named the crew ModifiedElephant and described the group's techniques and targets since 2012 in a report published on Wednesday.

"The objective of ModifiedElephant is long-term surveillance that at times concludes with the delivery of 'evidence' – files that incriminate the target in specific crimes – prior to conveniently coordinated arrests," said Tom Hegel, threat researcher at SentinelOne, in a blog post.

Hegel said the group has operated for years without attracting the attention of the cybersecurity community because of its limited scope of operations, its regionally-specific targeting, and its relatively unsophisticated tools.

ModifiedElephant prefers phishing with malicious Microsoft Office attachments to attack targets, and infect them with Windows malware.

In 2013, its messages relied on executable file attachments with deceptive double extensions in the file name (eg filename.pdf.exe). After 2015, the group used .doc, .pps, .docx, .rar, and password protected .rar files. In 2019, its attack vector involved links to hosted malicious files, and the group is also said to have employed large .rar archives to avoid detection.

The gang was also observed throwing Android malware at victims.

There's nothing technically impressive about this threat actor, instead we marvel at their audacity

"There's something to be said about how mundane the mechanisms of this operation are," said Juan Andrés Guerrero-Saade, threat researcher at SentinelOne and adjunct professor at Johns Hopkins SAIS, via Twitter. "The malware is either custom garbage or commodity garbage. There's nothing technically impressive about this threat actor, instead we marvel at their audacity."

Activist Rona Wilson is said to have been one of those targeted by ModifiedElephant. Wilson was arrested in 2018 with eight others in the Bhima Koregaon case, a violent clash between Hindu nationalists and Dalits. A year ago, Arsenal Consulting, a US-based digital forensics firm, reported that the evidence against Wilson had been planted.

"Arsenal’s analysis in this case has revealed that Rona Wilson’s computer was compromised for just over 22 months," Arsenal Consulting said in its February 8, 2021 report. "The attacker responsible for compromising Mr. Wilson’s computer had extensive resources (including time) and it is obvious that their primary goals were surveillance and incriminating document delivery."

"Arsenal has connected the same attacker to a significant malware infrastructure which has been deployed over the course of approximately four years to not only attack and compromise Mr Wilson’s computer for 22 months, but to attack his co-defendants in the Bhima Koregaon case and defendants in other high-profile Indian cases as well."

One of the more serious pieces of evidence in this case – Ltr_1804_to_cc.pdf, which includes details of a purported assassination plot against Indian Prime Minister Narendra Modi, is said to have been placed on Wilson's computer via a NetWire RAT remote session.

Wilson's phone was also found to have NSO Group's Pegasus spyware on it. He remains in jail, awaiting trial with others arrested at the time. He has been charged under India's Unlawful Activities (Prevention) Act (UAPA), an anti-terror law that Amnesty International says, "violates several international human rights standards and circumvents fair trial guarantees."

SentinelOne does not explicitly state that ModifiedElephant acts on behalf of the Indian government but notes how the group's activities are consistent with the government's interests.

"We observe that ModifiedElephant activity aligns sharply with Indian state interests and that there is an observable correlation between ModifiedElephant attacks and the arrests of individuals in controversial, politically-charged cases," wrote Hegel.

According to the report, ModifiedElephant's web infrastructure overlaps with Operation Hangover, a surveillance effort dating back to 2013 against targets of interest to Indian national security. The security firm also said that Wilson had been targeted by a second threat group, known as SideWinder [PDF], which has attacked government, military, and private sector organizations across Asia.

Hegel observes that SentinelOne last year reported on a threat actor operating in and around Turkey, dubbed EGoManiac, that planted incriminating evidence on the devices of journalists to support arrests made by the Turkish National Police.

"Ultimately, this is research with real human cost," said Guerrero-Saade. "Defendants remain in prison, with one having passed away recently. And there are more that haven't been identified. We can only hope this brings further attention and collaboration to curb this behavior." ®

Broader topics

Other stories you might like

  • OpenSSL 3.0.5 awaits release to fix potential worse-than-Heartbleed flaw
    Though severity up for debate, and limited chips affected, broken tests hold back previous patch from distribution

    The latest version of OpenSSL v3, a widely used open-source library for secure networking using the Transport Layer Security (TLS) protocol, contains a memory corruption vulnerability that imperils x64 systems with Intel's Advanced Vector Extensions 512 (AVX512).

    OpenSSL 3.0.4 was released on June 21 to address a command-injection vulnerability (CVE-2022-2068) that was not fully addressed with a previous patch (CVE-2022-1292).

    But this release itself needs further fixing. OpenSSL 3.0.4 "is susceptible to remote memory corruption which can be triggered trivially by an attacker," according to security researcher Guido Vranken. We're imagining two devices establishing a secure connection between themselves using OpenSSL and this flaw being exploited to run arbitrary malicious code on one of them.

    Continue reading
  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading

Biting the hand that feeds IT © 1998–2022