Indian activists targeted: hackers planted fake digital crime evidence

Hackers managed to plant criminal evidence on human rights activists, lawyer devices

Specific ModifiedElephant attacks have been linked with circles of India's official administration.

Threat actors hijacked devices of civil rights activities and planned incriminating evidence in the recent cyber attacks. A criminal hacking group named ModifiedElephant evaded discovery for a decade already.^[1] The hacking group is a well-known team of criminals linked to attacks aimed at various human rights activists, defenders, academics, lawyers. These main targets are in India.^[2]

The research firm SentinelOne reports ^[3] on these attacks and intrusions of the particular hacker group. The team is known since 2012 at least, and attacks are aligning with Indian state interests, so researchers think that these hackers have potential ties to the commercial surveillance industry.

ModifiedElephant relies on commercially available remote access tools and uses spear-phishing^[4] methods to spread malicious documents which deliver malware like keyloggers, NetWire, DarkComet, Android malware. The APT group manages to operate in secrecy without cybersecurity tools and companies noticing. The recent evidence shows that multiple campaigns between 2013 and 2019 are consistent with deployed malware and overlaps with this infrastructure.

The decade of malicious operations

This ModifiedElephant APT group is the hacker team relying on the particular phishing email campaigns that help spread malicious attachments with malware payloads. The group is working for ten years at least since many operations discovered by researchers can be licked to the particular team based on malware used in those attacks and some of the tactics.

Particular features observed through the years include the campaign in 2013 when hackers used email attachments with fake double extensions and deployed malware.^[5] group advanced these attacks in 2015 when password-protected RAR files became go-to attachments on these emails. Users were lured into malware execution with the overlays on the documents.

ModifiedElephant hackers started hosting the malware-dropping websites in 2019 and abused cloud hosting services. This switch to malicious slinks from documents follower through few years. In 2020, attackers users RAR files again and managed to evade detection of AV tools by skipping scans.

These methods have evolved, and threat actors use more advanced tools now in their operations. The main goal of these hackers is to spread long-term surveillance tools and spy on targeted individuals. These campaigns also lead to the delivery of fake evidence on those infiltrated devices, so framing those opponents can result in incarceration.

Leveraging known vulnerabilities and using remote access trojans

The group managed to exploit various vulnerabilities like CVE-2014-1761, and CVE-2015-1641. These methods involve politically related emails and highly tailored messages, based on particular targets. These features might be the key to the success of the attacks.

This includes fake body content with a forwarding history containing long lists of recipients, original email recipient lists with many seemingly fake accounts, or simply resending their malware multiple times using new emails or lure documents.

The group of hackers has been using the custom backdoor malware, deploying particular DarkComet, NetWire, other remote access trojans, publically available tools. There are particular keyloggers that ModifiedElephant has been using since 2012 already.

The Visual Basic keylogger, known for being one of many free tools, works on modern OS versions still, however. Android malware also is included in the arsenal of this criminal group. Trojan delivered by tricking people into installing APK spreads by posing as the news application or messaging tool.