FlightNight
GoStealer
India targeted in a cyberespionage campaign involving phishing emails & Slack to...
Beginning March 7th, 2024, an alarming report details a recent cyber espionage campaign targeting delicate sectors of the Indian economy, specifically its defense and energy industries. This large-scale attack, dubbed Operation FlightNight, highlights the evolving tactics employed by malicious actors to infiltrate critical infrastructure and compromise sensitive information.
Discovered by EclecticIQ analysts this intrusion leverages a modified version of the [HackBrowserData](https://github.com/moonD4rk/HackBrowserData) information stealer delivered via phishing emails.
### **Attack Methodology**
The [campaign](https://blog.eclecticiq.com/operation-flightnight-indian-government-entities-and-energy-sector-targeted-by-cyber-espionage-campaign) relied on a combination of phishing emails and malware to achieve its objectives. Phishing emails, meticulously crafted to appear legitimate, were likely sent to unsuspecting employees within the targeted organizations. These emails may have posed as official communications from trusted sources or presented enticing offers. Once a recipient clicked on a malicious link or attachment within the email, malware would be deployed on their device.
![b34b3986-3854-4ab4-a553-1d3be9eedfa2.png](https://sb-cms.s3.ap-south-1.amazonaws.com/b34b3986_3854_4ab4_a553_1d3be9eedfa2_a8727acebd.png)
***Attack Chain***
Utilizing a decoy PDF disguised as an Indian Air Force invitation, the attackers employed ISO files containing malware executables. While it shares similarities with a Go-based stealer called GoStealer. This similarity lies in the infection sequence.
Upon execution, the malware, disguised as harmless PDF icons, activated hidden payloads, exfiltrating data to Slack channels under the attackers' control.
Both campaigns employ social engineering tactics to lure victims. Operation FlightNight uses phishing emails likely disguised as legitimate communications, while [GoStealer](https://xelemental.github.io/Golang-based-credential-stealer-targets-Indian-Airforce-Officials/) utilizes procurement-themed lures such as "SU-30 Aircraft Procurement.iso".
Once a victim clicks on the malicious link or attachment, a decoy file is displayed to distract them, while the malware operates in the background, stealing information of interest. In Operation FlightNight's case, the stolen information is exfiltrated through Slack channels.
### **Targets and Data Exfiltration:**
Government agencies overseeing electronic communications, IT governance, and national defense, alongside private energy companies, were targeted. The stolen data, including financial documents and employee details, was exfiltrated to Slack channels, totaling 8.81 GB, raising concerns of potential infrastructure breaches.
### **HackBrowserData: The Malware Behind the Attack**
The malware, leveraging in Operation FlightNight has been identified as a modified version of modified versions of open-source known information stealer called HackBrowserData as already mentioned, exploited vulnerabilities in web browsers to steal credentials and data. This malware is specifically designed to target web browsing data, potentially including login credentials, browsing history, and other sensitive information stored within web browsers.
Code similarities between the original tool and the modified variant indicate a sophisticated level of customization for covert operations.
### Slack: A Clandestine Exfiltration Channel
A particularly concerning aspect of this operation is the involvement of Slack communication platforms for exfiltrating stolen data. The attackers chose slack, a popular collaboration tool widely used in legitimate business settings, likely to mask their malicious activity.
By blending their traffic with regular communication within the targeted organizations, the attackers aimed to evade detection.
### **Detection and Mitigation Strategies:**
Organizations can disable web browser features like password caching and auto-completion, implement two-factor authentication, and monitor for ISO mounting events and LNK file executions. Behavioral anomaly detection and network traffic monitoring can aid in identifying and mitigating similar threats.
### **Open-Source Offensive Tools**
The attackers' utilization of open-source tools underscores the evolving landscape of cyber threats. By modifying existing tools and leveraging platforms like Slack for data exfiltration, as already mentioned the attackers reduce detection risks while maximizing operational efficiency.
### **Infrastructure Analysis**
Analysis of the attackers' infrastructure, including Slack channels and authentication tokens, provides insights into their operational tactics. Tools like SlackPirate enable researchers to gather valuable intelligence on threat actors' communication channels and tactics.
### Stolen Data and Potential Consequences
The stolen data in this cyber espionage campaign could encompass a wide range of sensitive information, including:
Financial documents
Personal details of employees
Critical details about drilling activities in oil and gas
This information could be exploited for various malicious purposes, such as:
Financial gain through fraud or identity theft
Disruption of critical operations within the defense and energy sectors
Espionage and intelligence gathering