Hackers are focusing on Afghan authorities workers with phishing emails disguised as official correspondence from the workplace of the nation’s prime minister, researchers on the Indian cybersecurity agency Seqrite found.
The marketing campaign, first detected in December, makes use of a decoy doc crafted to resemble a legit authorities letter despatched to Afghan ministries and administrative workplaces.
The doc opens with a non secular greeting and incorporates what look like official directions associated to monetary reporting, together with a solid signature of a senior official inside the prime minister’s workplace — a tactic meant to lure victims into opening the file.
As soon as opened, the doc delivers a pressure of malware dubbed FalseCub, which is designed to gather and exfiltrate knowledge from contaminated computer systems, Seqrite mentioned in a report launched Monday.
Researchers discovered that the attackers relied on GitHub as a short lived internet hosting service for the malicious payload. A GitHub account created in late December was used to distribute the malware earlier than the information have been quietly eliminated as soon as the operation concluded.
The hackers behind the marketing campaign seem to have carried out intensive analysis into Afghan authorities establishments and entities linked to the Taliban. Seqrite recognized a number of authorized and administrative paperwork uploaded by the risk actor to the Scribd library, together with Afghan authorities directives, Ministry of Protection communications, and U.S. asylum and human rights paperwork associated to Afghanistan. These supplies could function future phishing lures, the researchers mentioned.
The alleged risk actor used an alias — “Afghan Khan” — shared on different platforms together with Pinterest and Dailymotion, with at the least one account linked to Pakistan. A shortened hyperlink used within the marketing campaign was additionally uploaded from Pakistan and redirected victims to the GitHub repository internet hosting the malware, in accordance with the researchers.
Whereas Seqrite didn’t attribute the marketing campaign to any particular nation or recognized hacker group, researchers assessed the exercise because the work of a “regionally targeted risk actor with a low-to-moderate sophistication stage.” The repeated reuse of on-line personas, they added, factors to “a person operator or small cluster reasonably than a mature state-sponsored APT.”
The marketing campaign — which Seqrite tracks underneath the title Nomad Leopard — is just not restricted to Afghanistan and will broaden to different international locations, they warned.
“The risk actor is just not very refined however possesses a number of authorized and government-related lure paperwork, which we consider could also be utilized in future campaigns,” the researchers added.
Recorded Future
Intelligence Cloud.
Be taught extra.
