‘Lone Wolf’ Hacker Group Targeting Afghanistan and India with Commodity RATs

A new malware campaign targeting Afghanistan and India is exploiting a now-patched, 20-yr-aged flaw affecting Microsoft Office to deploy an array of commodity remote obtain trojans (RATs) that enable the adversary to get comprehensive command around the compromised endpoints.

Cisco Talos attributed the cyber marketing campaign to a “lone wolf” menace actor working a Lahore-centered fake IT company referred to as Bunse Technologies as a entrance to have out the malicious activities, although also getting a background of sharing information which is in favor of Pakistan and Taliban relationship all the way back to 2016.

Automatic GitHub Backups

The assaults function by having gain of political and authorities-themed lure domains that host the malware payloads, with the an infection chains leveraging weaponized RTF files and PowerShell scripts that distribute malware to victims. Precisely, the laced RTF information ended up observed exploiting CVE-2017-11882 to execute a PowerShell command that’s accountable for deploying extra malware to conduct reconnaissance on the device.


CVE-2017-11882 issues a memory corruption vulnerability that could be abused to run arbitrary code The flaw, which is considered to have existed considering the fact that 2000, was ultimately tackled by Microsoft as part of its Patch Tuesday updates for November 2017.

The recon period is adopted by a equivalent attack chain that utilizes the aforementioned vulnerability to run a series of instructions that culminates in the set up of commodity malware this kind of as DcRAT, and QuasarRAT that occur with a wide range of functionalities proper out of the box which include distant shells, procedure management, file management, keylogging, and credential theft, thus requiring small efforts on component of the attacker.

Also observed in the course of the cybercrime procedure was a browser credential stealer for Brave, Microsoft Edge, Mozilla Firefox, Google Chrome, Opera, Opera GX, and Yandex Browser.

“This campaign is a typical illustration of an personal risk actor employing political, humanitarian and diplomatic themes in a marketing campaign to supply commodity malware to victims,” the researchers said. Commodity RAT people are progressively currently being utilized by the two crimeware and APT teams to infect their targets. These family members also act as superb launch pads for deploying supplemental malware towards their victims.”

Fibo Quantum