Skip to content Skip to footer

Indian Government Entities and Energy Companies Targeted by HackBrowserData Malware via Slack Command-and-Control (C2)

In a startling revelation, it has come to light that Indian government entities and energy companies have fallen prey to the nefarious designs of unknown threat actors. They aim to steal sensitive information and exfiltrate it using Slack as command-and-control (C2). What is more alarming is that the attackers have used a modified version of an open-source information stealer called HackBrowserData to achieve their objectives.

According to a report published by EclecticIQ researcher Arda Büyükkaya, the information stealer was delivered via a email masquerading as an invitation letter from the Indian Air Force. The campaign began on March 7, 2024, and was codenamed Operation FlightNight. The name refers to the adversary's Slack channels.

Multiple government entities in India, including those related to electronic communications, IT governance, and national defense, are targets of these attacks. The threat actors have also successfully compromised private energy companies, harvesting financial documents, personal details of employees, and details about drilling activities in oil and gas. It is estimated that approximately 8.81 GB of data has been exfiltrated throughout the campaign.

The message contains an ISO file (“invite.iso”), which, in turn, includes a shortcut (LNK) that triggers the execution of a hidden binary (“scholar.exe”) present within the mounted optical disk image. Simultaneously, a lure file that purports to be an invitation letter from the Indian Air Force is displayed to the victim. At the same time, the clandestinely harvests documents and cached web browser data. It transmits them to an actor-controlled Slack channel named FlightNight.

It is worth noting that the is an altered version of HackBrowserData that goes beyond its browser data theft features to incorporate capabilities to siphon documents (Microsoft Office, PDFs, and SQL database files), communicate over Slack, and better evade detection using obfuscation techniques.

It is suspected that the threat actor stole the decoy during a previous intrusion, with behavioral similarities traced back to a campaign targeting the Indian Air Force with a Go-based stealer called GoStealer. The GoStealer infection sequence is virtually identical to that of FlightNight, employing procurement-themed lures (“SU-30 Aircraft Procurement.iso”) to display a decoy file while the stealer payload is deployed to exfiltrate information of interest over Slack.

The attackers have adapted freely available offensive tools and repurposed legitimate infrastructure, such as Slack, which is prevalent in enterprise environments. This allows them to reduce time and development costs and quickly fly under the radar. Threat actors' simple yet effective approach to using open-source tools for cyber espionage highlights the evolving landscape of .

This further means that it's that much easier to launch a targeted attack, even allowing less-skilled and aspiring cybercriminals to spring into action and inflict significant damage to organizations. Organizations must remain vigilant and proactively protect themselves from such attacks.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

I know kung-fuNeo

Deitasoft © 2024. All Rights Reserved.