Border Security Force website has been used to spread malware

An official website of the Border Security Force (BSF) in India was hacked and used to spread malware. The website is currently https://bsf. [gov] .in is offline.

After the MalwareHunter team tweet on April 6, the malware issue was known to the public. The malware they found on the BSF website called SocketPlayer had never appeared before. “Just found that the website of “Border Security Force of India” (https://bsf.[gov].in/) has been used to spread malware in past weeks. Checked two of the samples (highlighted on screenshot): one is SocketPlayer main, another is SocketPlayer loader (both crypted). Interesting.”

Just found that the website of "Border Security Force of India" (https://bsf.[gov].in/) has been used to spread malware in past weeks.
Checked two of the samples (highlighted on screenshot): one is SocketPlayer main, another is SocketPlayer loader (both crypted).
Interesting.
🤔 pic.twitter.com/IQQhVo0cFS

— MalwareHunterTeam (@malwrhunterteam) April 6, 2018

They also stated that “All source links that I could find (possible that there are ones that wasn’t scanned, so I couldn’t find) on screenshot. Currently, the whole site is down (503 error), so couldn’t verify if the files are removed or not…”

In addition, Yash Kadakia, chief technology officer of Security Brigade, a Mumbai-based information security company, analyzed the malware. Kadakia said that “From an initial look, it appears that once downloaded, these infected files work by accessing a person’s contact lists through a mail client like Outlook to send out emails pretending to be from the United Services Club in Mumbai. The email then triggers another malware which can remotely access one’s system from attacker-controlled servers in Germany and the USA”

Malware researcher Bart revealed on the 7th that he had attacked the BSF website as a hacker. The Webshell hosted on the “India Border Security Force” is a typical WSO webshell, modified by “DrSpy”. Auth_pass is decoded as “cyberrose”, which is clearly a Pakistani hacker organization.

The Times of India reported on the incident on April 8. A BSF spokesperson claimed that the website has already realized these problems. “The website has been under security audit for the last 30-40 days. Concerned officials are comprehensively studying various elements of the website and why they were behaving in a certain manner.”

A few hours after the Times of India reported, the MalwareHunter team was openly unbelievable about the BSF staff’s claims. If BSF officials say it is true, it means that BSF’s “review” is more than two months before “SocketPlayer” began using the site to spread their malicious software. “Currently, every single SocketPlayer sample we know of, are either were seen on BSF’s website, or they are samples that were downloaded by the samples seen there.“