In 2016, we witnessed hackers using a ‘watering hole’ cyber-attack to compromise computers operated by serving Indian military personnel and bureaucrats, some of whom were mailed infected documents as email attachments. Others were lured by news posts, with topics ranging from the Seventh Pay Commission to the Pathankot attack.
A natural watering hole is a water source in jungles, where hunters wait patiently for their prey. They hunt their prey when the latter throng to said watering hole during thirsty afternoons or evenings. A cyber ‘watering hole’ strategy is analogous this, albeit in the virtual domain. For the purposes of this article, Delhi Defence Review has drawn upon two malware reports on the watering hole attack- Transparent Tribe by Proofpoint and C-Major by Trend Labs.
To begin with, Trend Labs claims that some evidence suggests that the attackers behind this campaign are based out of Pakistan, although no evidence suggests ties to the government. Trend Labs further believes:
‘The primary targets were field-grade officers in the Indian military – brigadiers, colonels, lieutenant colonels, majors, and even some lieutenants. The data stolen contained identification/ID data such as passport scans and other means of identification- salary and taxation data (mainly in the form of PDF payslips), army strategy and tactical documents, army training documents, and personal photos.’
‘Since at least early 2013, actors behind Operation C-Major have been using a variety of malicious apps against high-profile targets in the Indian military, as well as other foreign embassies. From our research, we saw that these apps were downloaded by the hundreds, most likely by targets in India. Some of these apps, like fake news apps, are promoted on “official” Facebook pages, which is another social engineering trick to lure users into downloading them. Most of these apps are developed by a Pakistani company. The actors behind Operation C-Major were able to keep their Android malware on Google Play for months and they advertised their apps on Facebook pages which have thousands of likes from high profile targets.’
According to Trend Labs, ‘several actors involved in Operation C-Major have been rather careless in the past, leaving behind numerous digital traces on the Internet’. Prior to this, one of these actors had been actively promoting StealthGenie, a spying app for Android, BlackBerry, and iPhone. This app was marketed as a tool one could use to monitor employees, spouses, and children. However, based on its functionalities, it was no different from malicious applications. The Pakistani owner of StealthGenie was arrested by the US Federal Bureau of Investigation in 2014 for selling spyware and was fined $500,000.
Operation C-Major used spying apps for BlackBerry phones, which have similar functions to that of StealthGenie’s. It was apparent that these apps were developed not for jealous spouses but for the threat actors’ intent on stealing sensitive information from organizations like the Indian Armed Forces. It is therefore no surprise that the actors behind C-Major also used BlackBerry malware in their operation since BlackBerry is known to be used by several government agencies. As far as we know, the BlackBerry malware was never available on the Blackberry app store- BlackBerry World. It is very likely social engineering was used to get the malware installed on victims’ phones. The apps are capable of stealing SMS, making videos, recording calls, sending screenshots, and stealing files.
Here is a list of some malicious Android apps used by them
The Trends Lab code analysis revealed that ‘Ringster is reusing a lot of code from Wavecall, a communication tool developed by a company called Yello. Ringster has a hardcoded URL pointing to mpjunkie[.]com. This URL established a clear connection to the other campaigns of Operation C-Major.’
Since at least 2015, Operation C-Major started to use Androrat, an off-the-shelf remote administration tool for Android. C-Major may have bought Androrat from an Indonesian vendor.
Sloppy coding practices by attackers led to detection
Trend Labs maintains, ‘the malware was compiled into an MSIL binary using Visual Studio. This means that the original source code was probably in VB# (Visual Basic .NET) or C# (the .NET version of C++). This also means that the developers weren’t aware that these programs can be decompiled in a trivial manner: the attackers provided the source code for free. No truly sophisticated attacker would have created and compiled their malware in this manner. Analysis of the malware allowed us to find 3 C&C servers that this attack used. These servers also contained open directories where the stolen information was stored, allowing us to see what information were stolen. The attackers were unable to keep their server’s whereabouts completely hidden, leading to the discovery of information concerning the targets involved.’
This particular cyber-attack was not sophisticated in terms of the malware/virus used or in the methods used to cover its tracks. However, it does show that not following standard cyber hygiene, can prove rather disastrous. The targets willingly downloaded the apps and visited click-bait news that was put on websites containing malware (watering holes.) This mixed use of malware along with social engineering represents a new trend in hybrid information warfare and at some level is a melding of cyberwarfare and psyops.
© Delhi Defence Review. Reproducing this content in full without permission is prohibited.