Search This Blog

Powered by Blogger.

Blog Archive

Labels

The Hacking Group 'ModifiedElephant' Remained Undetected

ModifiedElephant usually uses infected files to spread malware to its victims.

 

SentinelLabs' IT security researchers have discovered information of growing cyber-attacks (APT) wherein the threat actors have been targeting human rights activists, free speech advocates, professors, and lawyers in India using readily available trojans via spear-phishing since 2012. The group known as ModifiedElephant has been found to be planting 'incriminating evidence' on the devices of its targets. 

"The goal for ModifiedElephant is long-term espionage which sometimes ends with the transmission of evidence – files that implicate the victim in criminal offenses – prior to conveniently synchronized arrests," stated Tom Hegel, a threat researcher at SentinelOne. According to the research, over the previous decade, ModifiedElephant hackers have been attacking their victims with spearphishing emails containing malicious file attachments, with their methods becoming more complex over time. 

Spearphishing is the technique of emailing victims that appear to come from a trustworthy source in order to either divulge sensitive information or install malware on their computers. ModifiedElephant usually uses infected Files to spread malware to its victims. The particular mechanism and content included in malicious files have varied over time, according to SentinelOne, the timeline has been given below: 
  • 2013 – An adversary sends malware via email attachments with phony double extensions (file.pdf.exe). 
  • 2015 – The group switches to encryption key RAR attachments including legitimate luring documents that hide malware execution signals. 
  • 2019 – Updated Elephant begins hosting malware-distribution sites and takes advantage of cloud hosting capabilities, transitioning from phony papers to malicious URLs.
  • 2020 – attackers circumvent identification by skipping scans by using big RAR files (300 MB).

The CVE-2012-0158, CVE-2014-1761, CVE-2013-3906, and CVE-2015-1641 exploits, according to SentinelOne, were frequently utilized in luring documents, which attacked Microsoft Office Suite programs. 

Modified Elephant is not seen using any customized backdoors in its operational history, indicating the group isn't particularly sophisticated. NetWire and DarkComet, two publicly available remote access trojans extensively utilized by lower-tier hackers, were the principal malware used in the campaigns. 

ModifiedElephant's Visual Basic keylogger hasn't changed since 2012, and it's been open-source on hacking forums all that time. SentinelLabs remarks on the tool's history, pointing out that it no longer works on recent OS versions. The Android virus is likewise a commodity trojan that is distributed to users in order of an APK, luring them in by appearing like a news app or a secure messaging tool.
Share it:

APK Files

APT actors

Cyber Security

keylogger

Microsoft

SentineLabs

Spear Phishing attacks

Trojan

URL