Suspected hackers seemingly from India, ever since 2013, have been hijacking innumerable PCs, it is being reported. Understandably, three security agencies have rumbled the gang for the entire range of time; however, the gang until now was regarded as a number of discrete entities.
According to security researchers Abel Toro, Nicholas Griffin and Andy Settle from Forcepoint, the Monsoon gang, earlier called Patchwork APT, Operation Hangover, and Dropping Elephant has been utilizing spear-phishing e-mails for targeting companies. The e-mails contained tainted Word macros which installed Trojans viruses.
Forcepoint the security agency, which analyzed the server infrastructure and domain names employed in the spear-phishing assaults, discovered certain overlaps between the Operation Hangover and Monsoon gangs’ behavioral activities.
Analyzing deeper into the collated information the agency found another overlap that of utilization of same TTPs as well as distribution of the e-mails among same persons. Softpedia.com posted this, August 10, 2016.
Forcepoint’s latest study is compiled in an all inclusive 57-page research of the gang’s various techniques and operations for hacking along with the malicious programs employed within each; that it attacked demographically likewise victims as well as operated across the geographical region of the great Indian subcontinent.
The tainted Word documents exploited basically three security flaws which are namely CVE-2015-1641, CVE-2014-6352 and CVE-2012-0158 for serving the malicious program.
The three exploits reported different malicious programs to one rudimentary command and control server whose hosting service emanated from unconventional services namely GitHub accounts, RSS feeds along with other forums. Cymmetria another security agency described the gang as unsophisticated while stated that it utilized malicious software available freely from the Internet.
The Monsoon gang’s spear phishing activities are mainly politically motivated which conceal weaponized payloads. Although Forcepoint’s research paper doesn’t mark India as the base of the hackers, it doesn’t either provide sufficient evidence to have readers come to the same conclusion. Some clues could be a person who created certain legitimate registered domain-names inhabited in India as well as the continuous attacks on India’s neighbors. In 2013, BlueCoat a security company held a threat actor apparently from India responsible for Operation Hangover.