Border Security Force website has been used to spread malware

An official website of the Border Security Force (BSF) in India was hacked and used to spread malware. The website is currently https://bsf. [gov] .in is offline.

After the MalwareHunter team tweet on April 6, the malware issue was known to the public. The malware they found on the BSF website called SocketPlayer had never appeared before. “Just found that the website of “Border Security Force of India” (https://bsf.[gov].in/) has been used to spread malware in past weeks. Checked two of the samples (highlighted on screenshot): one is SocketPlayer main, another is SocketPlayer loader (both crypted). Interesting.”

Just found that the website of "Border Security Force of India" (https://bsf.[gov].in/) has been used to spread malware in past weeks.
Checked two of the samples (highlighted on screenshot): one is SocketPlayer main, another is SocketPlayer loader (both crypted).
Interesting.
🤔 pic.twitter.com/IQQhVo0cFS

— MalwareHunterTeam (@malwrhunterteam) April 6, 2018

They also stated that “All source links that I could find (possible that there are ones that wasn’t scanned, so I couldn’t find) on screenshot. Currently, the whole site is down (503 error), so couldn’t verify if the files are removed or not…”

In addition, Yash Kadakia, chief technology officer of Security Brigade, a Mumbai-based information security company, analyzed the malware. Kadakia said that “From an initial look, it appears that once downloaded, these infected files work by accessing a person’s contact lists through a mail client like Outlook to send out emails pretending to be from the United Services Club in Mumbai. The email then triggers another malware which can remotely access one’s system from attacker-controlled servers in Germany and the USA”

Malware researcher Bart revealed on the 7th that he had attacked the BSF website as a hacker. The Webshell hosted on the “India Border Security Force” is a typical WSO webshell, modified by “DrSpy”. Auth_pass is decoded as “cyberrose”, which is clearly a Pakistani hacker organization.

The Times of India reported on the incident on April 8. A BSF spokesperson claimed that the website has already realized these problems. “The website has been under security audit for the last 30-40 days. Concerned officials are comprehensively studying various elements of the website and why they were behaving in a certain manner.”

A few hours after the Times of India reported, the MalwareHunter team was openly unbelievable about the BSF staff’s claims. If BSF officials say it is true, it means that BSF’s “review” is more than two months before “SocketPlayer” began using the site to spread their malicious software. “Currently, every single SocketPlayer sample we know of, are either were seen on BSF’s website, or they are samples that were downloaded by the samples seen there.“

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.