HackBrowserData Infostealer Malware
Unknown threat actors have directed their attention towards Indian government entities and energy companies, employing a modified variant of an open-source information-stealing malware dubbed HackBrowserData. Their objective involves exfiltrating sensitive data, with Slack as a Command-and-Control (C2) mechanism in certain instances. The malware was disseminated through phishing emails, camouflaged as invitation letters purportedly from the Indian Air Force.
Upon execution, the attacker leveraged Slack channels as conduits for exfiltrating various forms of sensitive information, including confidential internal documents, private email correspondences and cached Web browser data. This documented campaign is estimated to have commenced in early March 2024.
Table of Contents
Cybercriminals Target Important Government and Private Entities
The scope of the harmful activity extends across numerous government entities in India, encompassing sectors such as electronic communications, IT governance, and national defense.
Reportedly, the threat actor has effectively breached private energy companies, extracting financial documents, employee personal information, and details regarding oil and gas drilling operations. The total amount of exfiltrated data throughout the campaign amounts to approximately 8.81 gigabytes.
Infection Chain Deploying a Modified HackBrowserData Malware
The attack sequence initiates with a phishing message containing an ISO file named 'invite.iso.' Within this file lies a Windows shortcut (LNK) that activates the execution of a concealed binary file ('scholar.exe') residing within the mounted optical disk image.
Concurrently, a deceptive PDF file posing as an invitation letter from the Indian Air Force is presented to the victim. At the same time, in the background, the malware discreetly gathers documents and cached web browser data, transmitting them to a Slack channel under the control of the threat actor, designated FlightNight.
This malware represents a modified iteration of HackBrowserData, extending beyond its initial browser data theft functions to include the ability to extract documents (such as those in Microsoft Office, PDFs and SQL database files), communicate via Slack, and employ obfuscation techniques for enhanced evasion of detection.
There's suspicion that the threat actor acquired the decoy PDF during a prior intrusion, with behavioral parallels traced to a phishing campaign targeting the Indian Air Force utilizing a Go-based stealer known as GoStealer.
Previous Malware Campaigns Utilizing Similar Infection Tactics
The GoStealer infection process closely mirrors that of FlightNight, employing lure tactics centered around procurement themes (e.g., 'SU-30 Aircraft Procurement.iso') to distract victims with a decoy file. At the same time, the stealer payload operates in the background, exfiltrating targeted information via Slack.
By utilizing readily available offensive tools and leveraging legitimate platforms like Slack, commonly found in corporate environments, threat actors can streamline their operations, reducing both time and development expenses while maintaining a low profile.
These efficiency gains make it increasingly simple to launch targeted attacks, even enabling less-experienced cybercriminals to cause significant harm to organizations. This underscores the evolving nature of cyber threats, where malicious actors exploit widely accessible open-source tools and platforms to achieve their goals with minimal risk of detection and investment.
