A Phishing Attack

 It has recently come to notice that a phishing campaign has

been launched targeting the parents of the children
studying in Army Public Schools across the country. The
parents are being contacted through Email, WhatsApp
call and landline nos to verify the student detls.
 For the purpose of verification, a link is being shared over
email/ WhatsApp/ message. On clicking the link, the user is
directed to google drive which further downloads a file
containing a malware capable of stealing imp info from a
user's cmptr.
 1. A spear phishing attack has come to notice wherein a phishing
email was promulgated by the threat actors to the parents of
children studying in Army Public School to compromise the digital
artifacts of IA pers. The email contains a hyperlink which is
capable of downloading malicious executable file from Google
drive.
 2. The threat actors appear to have obtained the name of
children studying in various Army Public Schools and the email
addresses of their parents. Further, a phishing email is being fwd
to the parents on their official/personal email accounts from a
fake email address named AWES (Email ID
awes@admindept.in) having subject as 'STUDENT XXXXX
<Student Name>' with a hyperlink named 'Student's Details'.
Screenshot of the recd email is att below:-
 On accessing the hyperlink embedded with the email, a compressed
file containing malicious file named Student Details.exe gets
downloaded from Google drive at url
'https://drive.google.com/uc?export=download&id=1COMo7zAuAxh
FSnKsD 2DURW634h4azCyb'.
 The downloaded malicious file is capable of dropping the fwg files
during execution:-
(a) circlex.exe
(b) Knowledge.dll
(c) detailsx.pdf - Fake PDF document
(d) myspace.zip -Compressed file contains Knowledge.dll (Malicious)
 The said malicious file further triggers the dropped file named
circlex.exe which makes necessary entry in 'Task Scheduler' for
persistence and collects the computer details (cmptr name, OS
details, IP addr, username etc) and uploads the collected info to its
C2 server registered at IP addr 108.61.208.207. The loc of said IP
addr is France.

Fwg actions are recommended to be undertaken by

users to contain the risks posed by the threat:-
 In case such email is recd, the same should be marked as
spam and deleted. The email if recd should be fwd to CERT-
Army at email ID sendmalware@rediffmail.com.
 Do not click on the hyperlink embedded with the email. If the
link has been clicked and the file has been downloaded and
accessed, users are advised to sanitize the cmptr with
licensed and updated anti-virus tool imdtly.
 Keep all your sys updated with latest security patches and
Anti Virus updates.
 The IP addr of C2 server 108.61.208.207 should be blocked
at all cmptr/ perimeter security device (UTM/Firewall).
 Do not access Emails from unknown contacts without
verifying sender detls.
 It has come to our notice that a phishing URL
'https://drdo.gov.in.cyberdefenceexercise.cyou/cyberdefenceexercis
e.html" mimicking website of DRDO is in mass circulation since 03
Jun 23 within various sensitive government organisations including
Defence establishments to harvest the NIC credentials of
government officials under the pretext of Defence Cyber Exercise
(DCX) through a compromised NIC email ID
"mkjaiswal@ord.gov.jn".
 Additionally, some more such phishing campaigns are actively
pursuing credential harvesting of Defence personnel under various
pretexts which are shown in the table below:-
S NO Malicious Domain IP Address
1 cyberdefenceexercise.cyou 185.20.187.75 - 185.20.184.6 , 198.54.16.98
2 aiapplication.chat 68.65.121.178
3 vigilancedep.info 104.21.34.145
4 kavachmail.in 104.21.64.80
5 mod-info.xyz 68.65.121.153

 It is also relevant to mention that following compromised NIC e-mail IDs were used
to originate phishing campaigns:-
S no Compromised E-mail ID
1 manas.230192-cgo@gov.in
2 coladm.afmc@.nic.in
3 msslakshmi.debel@gov.in
4 jsns@ddpmod.gov.in
5 project75@navy.gov.in
6 xanthopsia @nic.in
7 olsbag @iaf.nic.in
8 sao.33wg@iaf.nic.in
9 devendra.kl3@nic.in
10 mkjaiswal @ord.gov.in
11 captmaheshcmoudgil@gmail.com

All users are advised that any e-mail received from compromised IDs given above
should not be opened. Forward any suspicious emails to DCyA e-mail ID
(soc.ids@gov.in) without clicking any link/opening on any attachments/enter
credentials for analysis and further guidelines. Post forwarding to DCYA, delete
phishing emails from the inbox and trash folders of all the recipients.
 It is also intimated that a scamster (Female/ male
voice) from mobile number as given above is
appch students / parents of Army Public School
asking for their details / photos etc in the name of
an event being org by AWES for Independence
Day celebrations.
 The scamster is also fwd a form, to be filled to win
attractive prizes.
 Do not provide any detls from unknown mobile
number without verifying caller detls.

Thank You