Unidentified threat actors have targeted energy companies and government entities in India with the intention of distributing a modified version of HackBrowserData, an open-source information stealer malware, and, in some instances, exfiltrating sensitive data using Slack as a command-and-control platform (C2).

“A phishing email masquerading as an invitation letter from the Indian Air Force delivered the information thief,” EclecticIQ researcher Arda Büyükkaya said in a report published today.

A critical, unpatched vulnerability in the Ray AI platform was exploited to mine cryptocurrencies.

“The attacker utilized Slack channels as exfiltration points to upload confidential internal documents, private email messages, and cached web browser data after the malware’s execution.”

The Dutch cybersecurity firm named the initiative Operation FlightNight, a reference to the adversary’s Slack channels, which began on March 7, 2024.

The nefarious activity targets numerous government entities in India, including those that are involved in IT governance, national defense, electronic communications, and IT communications.

The threat actor allegedly effectively infiltrated private energy firms, acquiring financial documents, employee personal information, and data related to oil and gas exploration operations. The campaign has compromised a cumulative amount of 8.81 GB of data.

The assault sequence commences with a phishing message that attaches an ISO file (“invite.iso”) to the mounted optical disk image. This ISO file, in turn, comprises a Windows shortcut (LNK) that initiates the execution of a concealed binary (“scholar.exe”).

Simultaneously, the malware presents the victim with an enticing PDF file masquerading as an invitation letter from the Indian Air Force. All the while, the malware stealthily acquires documents and cached web browser data, which it then transfers to FlightNight, an actor-controlled Slack channel.

CISA warns of active hacker activity targeting a Microsoft SharePoint vulnerability.

The malicious software is a modified iteration of HackBrowserData, which surpasses its primary function of stealing browser data by also enabling unauthorized access to documents (including Microsoft Office, PDFs, and SQL database files), communication via Slack, and enhanced evasion of detection through the use of obfuscation techniques.

Given the behavioral similarities to a phishing campaign targeting the Indian Air Force using GoStealer, a Go-based stealer, there is suspicion that the threat actor obtained the dummy PDF during a previous intrusion.

In the middle of January 2024, an Indian security researcher operating under the alias xelemental (@ElementalX2) divulged information regarding the activity.

GoStealer uses a similar infection sequence to FlightNight, using lures with a procurement theme (“SU-30 Aircraft Procurement.iso”) to present a sham file and insert the stealth payload into Slack to exfiltrate sensitive data.

Threat actors can effectively evade detection, save time and money on development, and reduce their operational footprint by modifying openly accessible offensive tools and repurposing authorized infrastructure, such as Slack, widely used in enterprise settings.

Additionally, the increased efficiency facilitates the execution of targeted attacks, enabling inexperienced and aspiring cybercriminals to promptly exploit the situation and cause substantial harm to organizations.

Google Provides Chrome Users with Enhanced Real-Time URL Protection

“Operation FlightNight and the GoStealer campaign highlight a simple yet effective approach by threat actors to use open-source tools for cyber espionage,” Büyükkaya reported.

“This underscores the evolving landscape of cyber threats, wherein actors abuse widely used open-source offensive tools and platforms to achieve their objectives with minimal risk of detection and investment.”

source