A threat actor dubbed Armor Piercer is employing commercial RAT in a series of malicious attacks targeting Indian government and military personnel.

The attacks employed the Netwire and Warzone RATs, with lures themed around the Kavach 2FA application from India’s National Informatics Centre. Similarities with APT36 and SideCopy were previously linked to Pakistan.

The adversaries were using both compromised websites and fake domains for payload hosting, luring victims posing as guides and documentation related to the Indian government’s architecture, including Kavach. It used server-side scripts for sending malicious emails, and maintained presence on infected websites using web shells.

The commodity RATs employed in these attacks provide the adversary with comprehensive control over the targeted systems and could also be used to deploy additional payloads onto the compromised network.

The campaign appears to have been ongoing since December 2020, employing Microsoft Office documents carrying malicious VBA macros designed to fetch and execute a malware loader. The final payload is usually a RAT.

The downloaders were used to fetch and run the RAT payloads, C#-based downloader using a decoy URL, Pastebin was being used to host the payloads. Throughout the campaign, modified open-source projects were used to load trojanized .NET-based binaries that would then load the RATs.

The Netwire RAT allows the attacker to steal credentials from browsers, run commands, harvest system information, manipulate files, enumerate and kill processes, and perform keylogging.

AveMaria features RDP capabilities and can also capture images from the webcam, steal credentials from browsers and email applications, manipulate files, execute commands, log keystrokes, enumerate and terminate processes, and deploy reverse shells.

These adversaries and RAT deployment indicates that the attackers are expanding their malware arsenal to target their victims: military and government personnel in India.