Unknown threat actors have targeted Indian government entities and energy companies to distribute a modified version of the HackBrowserData malware via phishing emails, aiming to extract sensitive information, including personal details and financial documents, and using Slack as a command-and-control (C2) channel.
An EclecticIQ researcher, Arda Büyükkaya, revealed in a report that the attackers used Slack channels to upload private email messages, internal documents, and cached web browser data after infecting systems with the malware disguised as an invitation letter from the Indian Air Force.
The cybersecurity firm, EclecticIQ, named the ongoing campaign as Operation FlightNight, which commenced on March 7, 2024, targeting various Indian governmental departments and private energy companies.
The malware used in the attack chain employs an ISO file containing a Windows shortcut that triggers the execution of a hidden binary while simultaneously displaying a fake PDF invitation letter. The stolen data is then sent to a Slack channel controlled by the threat actor.
The malware, a modified version of HackBrowserData, goes beyond browser data theft to gather documents, communicate over Slack, and evade detection effectively. It’s suspected that the threat actor previously used the GoStealer malware targeting the Indian Air Force.
The utilization of open-source tools like Slack enables threat actors to conduct cyber espionage more efficiently, leading to easier targeted attacks with minimal risk of detection. Büyükkaya emphasized the need to adapt to this evolving threat landscape.
