fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Hacking Group ‘ModifiedElephant’ Evaded Discovery for a Decade

Hacking Group ‘ModifiedElephant’ Evaded Discovery for a Decade

For a decade, an advanced persistent threat (APT) actor tracked as ModifiedElephant has been using tactics that allowed it to operate in utmost secrecy, without cybersecurity companies connecting the dots between attacks.

This particular group of hackers employs readily-available trojans through spear-phishing, and has been targeting human rights activists, free speech defenders, academics, and lawyers in India since 2012.

The malicious emails push keyloggers and remote access trojans like NetWire and DarkComet, and even Android malware.

Also Read: 5 Most Frequently Asked Questions About Ransomware

Researchers at SentinelLabs in a report today detail the tactics of ModifiedElephant explaining how recently published evidence helped them attribute previously “orphan” attacks.

The most reliable evidence is overlapping infrastructure observed in multiple campaigns between 2013 and 2019, as well as consistency in the malware deployed.

ModifiedElephant C2 infrastructure
ModifiedElephant C2 infrastructure (SentinelLabs)

Past campaigns

ModifiedElephant has relied on spear-phishing emails with malicious attachments for over a decade now, but their techniques have evolved throughout that time.

Below is an overview of their past operations highlighting some evolution milestones:

  • 2013 – actor uses email attachments with fake double extensions (file.pdf.exe) to drop malware
  • 2015 – group moves to password-protected RAR attachments containing legitimate lure documents that overlay the signs of malware execution
  • 2019 – ModifiedElephant starts hosting malware-dropping sites and abuses cloud hosting services, switching from fake documents to malicious links
  • 2020 – attackers use large-size RAR files (300 MB) to evade detection by skipping scans

On multiple occasions, the attached documents leveraged known exploits for malware execution, including CVE-2012-0158, CVE-2013-3906, CVE-2014-1761, and CVE-2015-1641.

As for the lures used in these campaigns, they were all politically related and often highly tailored for the target.

Sample email sent by ModifiedElephant
Sample email sent by ModifiedElephant (SentinelLabs)

“The phishing emails take many approaches to gain the appearance of legitimacy,” explains SentinelLabs in the report

“This includes fake body content with a forwarding history containing long lists of recipients, original email recipient lists with many seemingly fake accounts, or simply resending their malware multiple times using new emails or lure documents.”

Also Read: Personal Data Protection Act Singapore: Is Your Business Compliant?

Attacker’s toolkit

ModifiedElephant hasn’t been observed using any custom backdoors throughout its operational record, so the particular group doesn’t appear to be very sophisticated.

The primary malware deployed on the campaigns are NetWire and DarkComet, two remote access trojans that are publicly available and widely used by lower-tier cybercriminals.

The Visual Basic keylogger used by ModifiedElephant has remained the same since 2012, and it’s been freely available on hacking forums all these years. SentinelLabs comments on the antiquity of the tool, highlighting that it doesn’t even work on modern OS versions anymore.

The Android malware is also a commodity trojan, delivered to victims in the form of an APK, tricking them into installing it themselves by posing as a news app or a safe messaging tool.

A state actor?

The SentinelLabs report makes several correlations between the timing of specific ModifiedElephant attacks and the arrest of targets that followed shortly after.

This coincidence, combined with the targeting scope, which aligns with the interests of the Indian state, constructs a very probable hypothesis that the hackers are sponsored by circles of India’s official administration.

Freedom of speech activists and academics aren’t targeted for financial purposes, so these attacks always have an underlying political nuance.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us