Researchers found the ModifiedElephant APT group that used various tactics to operate in secrecy without being detected by cybersecurity organizations for over a decade.

The ModifiedElephant campaign

ModifiedElephant is behind targeted attacks on human rights activists, human rights defenders, academics, and lawyers in India, with the goal of planting incriminating digital evidence to support the propagation of its own agenda.
  • The APT group has been operating since 2012 and is associated with several attacks that were previously not attributed to any specific threat group.
  • On multiple instances, the attached documents abused CVE-2013-3906, CVE-2014-1761, CVE-2015-1641, and CVE-2012-0158 flaws. The lures were politically related and tailored for the target.
  • An infrastructure overlap has been detected in multiple campaigns between 2013 and 2019, along with consistency in deployed malware, which all indicate a connection with this APT group.

Based on the scope of targets, which aligns with the interests of the Indian state, a very likely assumption is that the attackers could be sponsored by the official administration of India.

Attack vectors

  • ModifiedElephant has not been associated with any custom-developed backdoor, which indicates that this group may not be technically sophisticated.
  • The group uses readily-available trojans and delivers them via spear-phishing emails.
  • Moreover, it spreads keyloggers, RATs such as NetWire, DarkComet, and several Android malware strains.

How the group grew over the years

ModifiedElephant has been using spear-phishing emails with attachments for over a decade. However, its other techniques have evolved in due course of time.
  • In 2013, the group used email attachments with fake double extensions (file[.]pdf[.]exe) to drop malware.
  • In 2015, it moved to password-protected RAR attachments with genuine lure documents with symptoms of malware execution.
  • In 2019, it started hosting malware-dropping sites, abusing cloud hosting services, and using malicious links.
  • In 2020, the group had used large-size RAR files (300MB) to bypass detection by avoiding scans.

Conclusion

The ModifiedElephant APT group has been active for almost a decade without being detected by security firms, hinting at the serious risk imposed by such threats. Like this, there could be more such groups operating from under the shadows and undetected right now.

Cyware Publisher

Publisher

Cyware