Operation RusticWeb: Sophisticated Rust-Based Malware Campaign Aimed at Indian Government and Defense Sectors

The Indian government and defense sectors have been targeted by a sophisticated phishing campaign, termed Operation RusticWeb, which deploys Rust-based malware for intelligence gathering. Detected in October 2023, the campaign uses innovative techniques, including Rust payloads and encrypted PowerShell commands, to exfiltrate sensitive documents. Security analysts have found tactical similarities between this operation and the activities of Pakistani-linked groups Transparent Tribe and SideCopy. SideCopy, in particular, is involved in delivering multiple trojans targeting Indian government bodies.</p>Recent attacks have involved the use of decoy Microsoft PowerPoint files and specially crafted RAR archives, exploiting vulnerabilities like CVE-2023-38831 for malware delivery. This allows attackers to gain remote access and control. The SideCopy APT Group's infection chain is noted for its complexity, involving multiple orchestrated steps to ensure successful compromise. One prevalent method includes phishing emails with malicious PDF attachments that discreetly drop Rust-based payloads while displaying decoy content.</p>The malware is designed to collect and transmit system information and files of interest, though it lacks the capabilities of more advanced stealer malware found in the cybercrime underground. SEQRITE uncovered another infection chain in December, which uses a PowerShell script for enumeration and exfiltration, followed by a Rust executable named "Cisco AnyConnect Web Helper."</p>