GoStealer Malware Targets Indian Military

A sophisticated cyber espionage incident targeting the Indian Air Force has been uncovered by security researchers. The cyberattack on the Indian Air Force involves a variant of the well-known Go Stealer, a malicious software crafted to discreetly extract sensitive information.

The malware, distributed via a deceptively named ZIP file, labeled "SU-30_Aircraft_Procurement," exploits recent defense procurement announcements, particularly the approval of 12 Su-30 MKI fighter jets by the Indian Defense Ministry in September 2023.

As per findings from Cyble Research and Intelligence Labs, the attackers execute their plan through a meticulously orchestrated series of steps. They utilize an anonymous file storage platform called Oshi to host the deceptive ZIP file, disguising it as crucial defense documentation. The link, "hxxps://oshi[.]at/ougg," is likely disseminated through spam emails or other communication channels.

The infection sequence progresses from a ZIP file to an ISO file, followed by a .lnk file, ultimately leading to the deployment of the Go Stealer payload. Exploiting the heightened tension around defense procurement, the attackers aim to entice Indian Air Force professionals into unwittingly activating the malware.

GoStealer Gets an Upgrade

The identified Go Stealer variant, distinct from its GitHub counterpart, showcases advanced features that elevate its threat level. Coded in the Go programming language and based on an open-source Go Stealer from GitHub, this variant introduces enhancements, including expanded browser targeting and a novel method of data exfiltration through Slack.

Upon execution, the stealer generates a log file on the victim's system, utilizing GoLang tools such as GoReSym for thorough analysis. The malware is intricately designed to extract login credentials and cookies from specific internet browsers, including Google Chrome, Edge, and Brave.

In a departure from conventional information stealers, this variant displays heightened sophistication by leveraging the Slack API for covert communications. The choice of Slack as a communication channel aligns with its widespread use in enterprise networks, allowing malicious activities to seamlessly blend with regular business traffic.

The identified Go Stealer, distributed through the misleading ZIP file named "SU-30_Aircraft_Procurement," poses a significant threat to Indian Defense Personnel. The timing of the attack, coinciding with the Indian Government’s announcement of the Su-30 MKI fighter jets procurement, raises concerns about targeted attacks or espionage activities.