Analysis

The Cybersecurity firm SentinelOne attributed the intrusions to a group it tracks as “ModifiedElephant,” an elusive threat actor that’s been operational, whose activity aligns sharply with Indian state interests.

“ModifiedElephant operates through the use of commercially available remote access trojans (RATs) and has potential ties to the commercial surveillance industry. “The threat actor uses spear-phishing with malicious documents to deliver malware, such as NetWire, DarkComet, and simple keyloggers.

The primary goal of ModifiedElephant is to facilitate long-term surveillance of targeted individuals, ultimately leading to the delivery of “evidence” on the victims’ compromised systems.

The attack chains involve infecting the targets — some of them multiple times in a single day — using spear-phishing emails themed around topics related to activism, climate change, and politics, and containing malicious Microsoft Office document attachments or links to files hosted externally that are weaponized with malware capable of taking control of victim machines.

“The phishing emails take many approaches to gain the appearance of legitimacy,” the researchers said. “This includes fake body content with a forwarding history containing long lists of recipients, original email recipient lists with many seemingly fake accounts, or simply resending their malware multiple times using new emails

Effected Location

  • India

Mitigation

  1. Quarantining suspicious emails.
  2. Get your password security under control (Eg.2FA).
  3. Try to avoid installation of third-party software’s.
  4. Keep software patched and updated.
  5. Perform regular system backups.

IOCs

TYPE INDICATOR
FileHash-SHA1 [d62a1966581167d91bd30c45493e58781ebff871]
FileHash-SHA1 [5f27901d7f98bb273b543ac0db329b11e0cd439d]
FileHash-SHA1 [f04556e66efae0fb6e17d0b16b450db77b095ab7]
FileHash-SHA1 [fdc03f1278e308377ef8abbe7dfb5e4328844d1d]
FileHash-SHA1 [fb3d1f2d5e5a48947397a74ff03301f5e25d4495]
FileHash-SHA1 [8a3fa04b781b820ad406322534b0d74cdf81f73f]
FileHash-SHA1 [9d1bcb3e96103001f2e8a3ef480abaeb05c00290]
FileHash-MD5 [44744393736476ea5eaff80b24b82f02]
FileHash-MD5 [feaef352a8298fa3e0afdfacf91a6e06]
FileHash-MD5 [e8cd1c05c975061ad61d373215351353]

Reference

 

  1. https://thehackernews.com/2022/02/hackers-planted-fake-digital-evidence.html
  2. https://otx.alienvault.com/pulse/5e808ef322eed94133bfbbb2