Mumbai: A recent report by an US-based security solutions firm has indicated that a breed of malware has incorporated the same code used Mars Rovers Exploration Robot to spy on an Indian Ambassador to Afghanistan.
According to the threat intelligence team of Palo Alto Networks—which monitors cyber-traffic and potential attacks—pointed out that the attack was aimed at spying and retrieving sensitive documents, emails, audio clips, still pictures, and video footage.
Over the past few years, India has been a key nation in funding Afghanistan’s economic and infrastructure development, including power plants, transportation systems and even a new Parliament Complex for the Afghan Government.
Taking queues from these activities, it is likely that may be numerous groups and nations who are keen of spying on “key individuals who officially represent India in Afghanistan”.
Vicky Ray and Kaoru Hayashi, senior analysts from the firm’s Unit 42 team, explained that they managed to identify the attack carried out on Christmas Eve last year.
The duo, in a blog post, pointed out that the Kabul embassy was the object of a targeted attack in the form of an e-mail addressed personally to the Indian ambassador (at the time, Amar Sinha).
The e-mail was a spoof, cleverly crafted to look like a communication from Defence Minister, Manohar Parikkar, congratulating the ambassador for his ' commendable contribution' and lauding his 'individual dedication, knowledge and exemplary efforts’ for a ' project of the highest national interest'.
The e-mail sent by unknown attackers to the Indian Ambassador. (Source: PaloAlto Networks)
Opening the email revealed a 6MB word attachment and if the recipient opened this attachment, in a vulnerable version of Word, it would have breached the recipient computer's security and installed a downloader software in it—what is called a 'Trojan', which is what its name says—a Trojan Horse with malicious software hidden inside.
In a telephonic conversation with IndiaTechOnline, Ray said that many antivirus programmes might failed to detect the malware as because it avoided sending out the "signature" that net security tools used to recognize malicious content. “Like a terrorist disassembling a weapon and transporting it in pieces to avoid detection, the unknown authors, sent the malware in innocuous chunks,” he added.
Once inside the computer, the “Trojan downloader” can download executable files with multiple plug-ins, many of them using standard Open Source tools.
However, each innocent looking executable file with multiple plug-ins search for files on any attached USB device or any removable drives; another to log key strokes, a third to steal files on the hard disk.
The last plug-in was designed to search for specific types of files—PDFs, Word documents, Powerpoint presentations, Excel spreadsheets—and copy them every 60 minutes.
Another thread of the malware executed backdoor commands—snapping photos using the computer's web cam, recording audio from audio port, taking screen grabs.
Ray and Hayashi found that nameless cyber criminals used tools like OpenCV and OpenAl. The former is a software library that has been used by security systems, driver-less cars, and even the Mars Rover exploration robot for transmitting images, and the later is a cross-platform audio API.
The unknown hackers used the same code for their spying venture. In a back-handed complement, the two analysts have dubbed the Kabul malware "Rover".
Even though the duo tracked the minutest of details, they still do not have any knowledge or leads regarding the hackers, or the country from where the attack was conducted.
Based on their monitoring studies they have created a "Rover Tag" to help customers of Palo Alto Networks' cyber security solutions, identify, and neutralize this specific threat.
(Source: IndiaTechOnline)
