Cyber ​​attack on Indian Air Force: Go Stealer strikes again


A sophisticated cyberespionage attack targeting the Indian Air Force has been revealed. The cyberattack on the Indian Air Force involves a variation of the popular Go Stealer, malware designed to stealthily extract sensitive information.

The malware, distributed via a ZIP file with the clever name “SU-30_Aircraft_Procurement”, takes advantage of recent defense procurement announcements, including the approval of 12 Su-30 MKI fighter jets by the Indian Ministry of Defense. Defense in September 2023.

Cyber ​​attack on Indian Air Force

Cyber ​​attack on Indian Air Force
Source: Cyblé

According to Cyble Research and Intelligence Laboratories (CRIL)THE operating mode This cyber threat unfolds through a series of carefully orchestrated steps. The attackers use an anonymous file storage platform called Oshi to host the deceptive ZIP file, disguising it as critical defense documentation. The link “hxxps://oshi(.)at/ougg” probably circulates via junk mail or other communication channels.

The infection sequence involves progressing from a ZIP file to an ISO file, followed by an .lnk file, culminating in deployment of the Go Stealer payload. Attackers are strategically exploiting the growing tension surrounding defense procurement to lure Indian Air Force professionals into unintentionally triggering the malware.

Technical analysis of the Go Stealer

Analysis of the Go Stealer
Source: Cyblé

The identified Go Stealer variant, distinct from its GitHub counterpart, has advanced features that elevate its threat level. It is coded in the Go programming language and inherits its basis from a Open source Go Stealer available on GitHub. This variant, however, introduces improvements, including an expanded scope of browser targeting and a new method of data exfiltration via Slack.

GitHub repository
Source: Cyblé

Upon execution, the thief generates a log file in the victim’s system, using GoLang tools such as GoReSym for further analysis. The malware is meticulously designed to extract login information and cookies from specific sources. internet browsersnamely Google Chrome, Edge and Brave.

Steal data from Chrome
Source: Cyblé

Targeted approach means a strategic intention to collect precise information and sensitive information of Indian Air Force professionals.

GoReSym output
Source: Cyblé

Data exfiltration and secret communications

Unlike traditional information stealers, this variant displays increased sophistication by leveraging the Slack API for secret communications. The choice of Slack as a communications channel aligns with the platform’s widespread use in enterprise networks, allowing malicious activity to blend seamlessly into regular business traffic.

Exfiltration using Slack
Source: Cyblé

THE Come on thief This variant introduces a function named “main_Vulpx” designed explicitly to upload stolen data to the attacker’s Slack channel. This evolution in tactics allows malicious actors to maintain communication and discreetly receive stolen data.

Purchase of SU-30 aircraft
Source: Indian Defense News on X

The identified Go Stealer, distributed via the deceptive ZIP file named ‘SU-30_Aircraft_Procurement’, poses a significant threat to Indian defense personnel.

The timing of the attack, which coincides with the Indian government’s announcement of the purchase of Su-30 MKI fighter jets, raises concerns about targeted attacks or espionage activities.

This variation of Go Stealer features a level of sophistication not seen in its GitHub counterpart, with extensive browser targeting capabilities and leveraging Slack for data exfiltration.

Strategic emphasis on selective breeding collect login credentials and browser cookies highlight the malicious actor’s intention to acquire precise and sensitive information from Indian Air Force professionals.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only and users take full responsibility for their reliance on it. The Cyber ​​Express assumes no responsibility for the accuracy or consequences of the use of this information.

Leave a comment