Threat players are hijacking the devices of India’s human rights lawyers, activists & defenders, planting incriminating evidence to ‘set them up’ for arrest, researchers warn.
The ‘Modified Elephant’ threat players are technically not impressive, but they have evaded detection for a decade, hacking human rights advocates’ systems with old keyloggers & off-the-shelf RATs.
Modified Elephant
The player, dubbed Modified Elephant, has been ‘at it’ for at least 10 years, & it is still active. It has been hitting targets since 2012, if not sooner, going after 100s of groups & individuals – some repeatedly – according to Sentinel Labs researchers.
The operators are not what you would call technical ‘Wizz-kids,’ but that does not matter. Tom Hegel, Threat Researcher at Sentinel One, stated in a post that the advanced persistent threat (APT) group – which may be tied to the commercial surveillance industry – has been getting along fine using basic hacking tools such as commercially available remote-access trojans (RATs).
Ensnaring Victims
The APT is ensnaring victims with spearphishing, delivering malware via rigged documents.
The group’s used malwares include Net Wire, Dark Comet & simple keyloggers “with infrastructure overlaps that allow us to connect extended periods of previously unattributed malicious activity,” Hegel wrote.
The Dark Comet RAT, for example, has been used in politically motivated attacks for at least as long as Modified Elephant has been doing its dirty work. In 2012, its author gave up on development & sales after finding out that Dark Comet was used by the Syrian government in attacks against anti-government activists.
Old Tools
“There’s something to be said about how mundane the mechanisms of this operation are,” observed Juan Andrés Guerrero-Saade, Threat Researcher at Sentinel One & Adjunct Professor at Johns Hopkins SAIS in the US, via Twitter. “The malware is either custom garbage or commodity garbage. There’s nothing *technically* impressive about this threat actor, instead we marvel at their audacity.”
Modified Elephant uses old Visual Basic keyloggers that “are not the least bit technically impressive,” Hegel wrote, noting that the overall keylogger structure resembles code that was freely available on Italian hacking forums back in 2012. The loggers do not even work anymore, he outlined, given that they are built “in such a brittle fashion.”
Android Trojan
Modified Elephant is also sending a commodity Android trojan payload, delivered as an APK file (0330921c85d582deb2b77a4dc53c78b3), along with the Net Wire trojan. The Android trojan tries to fool recipients into installing the malware themselves, by posing as a news app or a safe messaging tool.
The Android trojan seems to have been designed as a ‘multi-purpose hacking tool’ for broader cyber-crime, researchers stated.
Net Wire
Because it is delivered at the same time as Net Wire, it means that the same attacker was trying to target victims across the spectrum, getting them both from the endpoint & on mobile.
The trojan enables attackers to intercept & manage SMS & call data, wipe or unlock the device, perform network requests, & perform remote administration, according to Sentinel Labs: In other words, it is a basic, ideal, low-cost mobile surveillance toolkit.
Evidence Tampering
An example of the incriminating files planted by Modified Elephant is a file, Ltr_1804_to_cc.pdf, that detailed an assassination plot against India PM Narendra Modi. Arsenal Consulting’s digital analysis shows that the file – 1 of the more incriminating pieces of data seized by police – was 1 of many files delivered via a Net Wire RAT remote session associated with Modified Elephant.
“Further analysis showed how Modified Elephant was performing nearly identical evidence creation & organisation across multiple unrelated victim systems within roughly 15 minutes of each other,” according to Sentinel Labs’ detailed report.
If the concept of a threat player interfering with evidence seems familiar, it may be because Modified Elephant’s tactics have precedence, Guerrero-Saade tweeted.
Turkish Language
Some months ago, Sentinel One reported on EGoManiac, a Turkish nexus (its malware contained Turkish language, its lures were written in Turkish, & its victims are Turkish & related to local politics) threat player that was doing similar with the Octopus Brain campaign.
In that campaign, Arsenal Consulting’s digital forensics revealed that the threat player planted incriminating files on the systems of journalists working at the Turkish online news portal Oda TV just before Turkish National Police seized their machines. The fabricated files were later used as evidence of terrorism & justification for jailing journalists.
Incarcerate
“A threat actor willing to frame & incarcerate vulnerable opponents is a critically underreported dimension of the cyber threat landscape that brings up uncomfortable questions about the integrity of devices introduced as evidence,” Sentinel One’s Hegel explained.
Analysing Ego Maniac’s attacks revealed the decade’s worth of malicious activity that Sentinel Lab now attributes to a previously unknown threat player, Modified Elephant.
“This actor has operated for years, evading research attention & detection due to their limited scope of operations, the mundane nature of their tools, and their regionally-specific targeting,” Hegel explained. Also, it is still actively targeting victims.
Victimology
Modified Elephant’s goal is long-term surveillance, sometimes leading up to the delivery of cooked-up “evidence” that supposedly connects the target to specific crimes right before what Hegel referred to as “conveniently co-ordinated arrests,” such as the files planted on the devices used by Oda TV journalists Barış Pehlivan & Müyesser Yıldız.
Researchers have identified 100s of groups & individuals targeted by Modified Elephant phishing campaigns: mainly, they are activists, human rights defenders, journalists, academics, & law professionals in India.
The APT primarily uses weaponised Microsoft Office files to deliver whichever malware the operators currently like – a preference that is changed over time & depending on target.
Evolution
Here is how the group has evolved over the years, researchers explained:
- Mid-2013: the player used phishing emails containing executable file attachments with fake double extensions (filename.pdf.exe).
- Post-2015: the player moved on to less obvious files containing publicly available exploits, such as .doc, .pps, .docx, .rar, & password protected .rar files. These attempts involved legitimate lure documents in .pdf, .docx, &.mht formats to captivate the target’s attention while also executing malware.
- 2019: Modified Elephant operators employed phishing campaigns that dangled links to files hosted externally for manual download & execution by the target.
- 2020: As Amnesty International & Citizen Lab documented, the operators also made use of large .rar archives (up to 300MB), potentially in an attempt to bypass detection, in a co-ordinated spyware attack that illegally targeted 9 human rights defenders.
Vulnerabilities
Sentinel Labs found that the lure documents they analysed repeatedly made use of exploits of vulnerabilities that have been used often over the years – CVE-2012-0158, CVE-2014-1761, CVE-2013-3906 & CVE-2015-1641 – to send & execute malware.
The spearphishing emails & lures use titles & themes around topics relevant to the target, Hegel stated, “such as activism news & groups, global & local events on climate change, politics, & public service.”
Critics of Authoritarian Govts.
Sentinel One warns that it only took a look at “a small subset” of the total list of Modified Elephant’s potential targets, the player’s techniques & its objectives.
More work needs to be done, & many questions remain to be answered. One thing’s clear, researchers observed: “Critics of authoritarian govts. around the world must carefully understand the technical capabilities of those who would seek to silence them.”