For more than a decade, an advanced persistent threat (APT) actor known as ModifiedElephant has used strategies that have allowed it to operate in complete obscurity, with no cybersecurity firms drawing the links between cyberattacks. Since 2012, this particular group of hackers has targeted human rights activists, free speech advocates, professors, and attorneys in India using freely available trojans via spear-phishing. Keyloggers and remote access trojans like NetWire and DarkComet, as well as Android malware, are distributed via the infected emails.
SentinelLabs researchers reveal ModifiedElephant’s techniques in a new study, describing how recently disclosed material helped them attribute earlier “orphan” attacks. The most convincing proof is the overlapping infrastructure seen in various attacks between 2013 and 2019, as well as the malware used. For more than 10 years, ModifiedElephant has depended on spear-phishing emails containing malware attachments, but their methods have improved with time.
Here’s a rundown of their previous operations, with some key milestones highlighted:
- 2013: the attacker sends email attachments with fake double extensions (file.pdf.exe) to spread malware
- 2015: the gang switches to a password-protected system. RAR attachments containing genuine enticing documents that hide malware execution signals
- 2019: ModifiedElephant begins hosting malware-distribution sites and abuses cloud hosting services, transitioning from fake documents to harmful URLs
- 2020: attackers employ big RAR files (300 MB) to avoid detection by bypassing scans
The attached documents used known exploits for malware execution on many occasions, including CVE-2012-0158, CVE-2013-3906, CVE-2014-1761, and CVE-2015-1641. The lures employed in these efforts were all political and often custom-made for the intended audience.
“The phishing emails take many approaches to gain the appearance of legitimacy,” explains SentinelLabs in the report. “This includes fake body content with a forwarding history containing long lists of recipients, original email recipient lists with many seemingly fake accounts, or simply resending their malware multiple times using new emails or lure documents.”
ModifiedElephant hasn’t been seen employing proprietary backdoors in its operating history, indicating that the group isn’t particularly sophisticated. NetWire and DarkComet, two publicly accessible remote access trojans extensively used by lower-tier hackers, were the principal malware employed in the campaigns.
ModifiedElephant’s Visual Basic keylogger hasn’t changed since 2012, and it’s been publicly available on hacking forums all that time. SentinelLabs remarks on the tool’s history, pointing out that it no longer works on recent OS versions. The Android malware is likewise a commodity trojan distributed to users in the form of an APK, luring them in by appearing as a news app or a secure messaging tool.
The SentinelLabs study draws various connections between the timing of certain ModifiedElephant attacks and the subsequent arrest of targets. This synchronicity, when paired with the targeted scope, which coincides with the objectives of the Indian government, creates a strong case that the hackers are funded by Indian government officials. Because freedom of speech advocates and scholars aren’t targeted for financial gain, these attacks are invariably political.