A materials research organization in Asia has been targeted by a previously unknown threat actor with a unique set of tools.
Symantec by Broadcom Software tracks the cluster under the moniker. KushiopaThe origins of the hacking group and its affiliation are currently unknown, but there are hints that the adversaries may have ties to India.
This includes references to ‘SAPTARISHI-ATHARVAN-101’ in the custom backdoor and use of the password ‘iloveindea1998^_^’ in the ZIP archive.
It is worth noting that Saptarishi, which means “seven sages” in Sanskrit, refers to a revered group of seers in Hindu literature. Atharvan was an ancient Hindu priest who is believed to have co-authored his one of the four Vedas, a collection of Hindu religious scriptures.
“These details could suggest that the group is based in India, but it is also very likely that the information was planted as a false flag, especially if the password was overly obvious. It looks like a clue,” Symantec said in a report shared with The Hacker News.
The exact means of initial access is also unknown, but the cyber intrusion is suspected to utilize brute force attacks on Internet-facing servers.
The main characteristics of the intrusion include clearing the system monitor (Sysmon) and event logs, and deploying multiple backdoors such as Atharvan and modified versions of the open source Lilith RAT to collect and steal sensitive information.
Atharvan is also able to connect to hardcoded command and control (C&C) servers to retrieve files and execute arbitrary executables on infected hosts.
“The hardcoded C&C address seen in one of the samples analyzed so far was from the Amazon AWS Korea (Seoul) region, which is not a common location for C&C infrastructure,” the company noted. .
The disclosure comes a day after the cybersecurity firm revealed another previously undocumented threat group known as Hydrochasma. Hydrochasma has been observed targeting shipping companies and medical laboratories in Asia.
