Kavach Authentication !LINK! Download For Windows 10

Kavach Authentication helps you secure your access to multitude of software solutions spread across your IT Landscape. The application is extremely intuitive, easy to use, highly secure and integrates seamlessly with multiple end points. The app works with Kavach Authentication Server in the backend. Contact your IT admin/support on more instructions around support and activation. The app supports multiple authentication features such as OTP and one click login.

In this blog, we will describe how this group abuses Google advertisements for the purpose of malvertising to distribute backdoored versions of Kavach multi-authentication (MFA) applications. We will shed light on the complete details of the attack chain that have not been previously shared in the public domain. This threat group has also conducted very low-volume credential harvesting attacks masquerading as official Indian government websites, and luring unsuspecting users to enter their credentials.

Kavach Authentication Download For Windows 10

Download File 🔥 https://urlin.us/2y8017 🔥

Figure 1 illustrates the end-to-end attack-chain of the distribution of backdoored Kavach multi-factor authentication (MFA) applications. Each part of this attack-chain is explained in more details in the later sections of the blog.

The malvertising aspect of APT-36 group has not been previously documented, so in this blog we will shed some light on how the threat actor lures Indian government users to download backdoored Kavach multi-factor authentication (MFA) applications.

To understand this better, we took snapshot of this website at different points of time in 2022. By leveraging the web archive feature, it can be seen in Figure 6 that in May 2022, the download link for Kavach on this app store pointed to kavach-app[.]com (which is a confirmed attacker-registered domain used in the campaign).

As mentioned above in the distribution mechanism section, this threat actor uses various malvertising methods to lure unsuspecting Indian government employees to download a backdoored version of the Kavach multi-factor authentication (MFA) application.

To use the app, you need to contact your IT admin or support for more instructions on support and activation. The app works with Kavach Authentication Server in the background and supports multiple authentication features such as OTP and one-click login. It is important to note that this app only works with Kavach Security Server as the authentication server.

The purpose of the Kavach Application is to provide 2-step Authentication for your confidential emails. When you usually want to access your emails, it takes your username and password as input. With the Kavach app for PC, you need to provide authentication through Kavach App in addition to your password.

Transparent Tribe used the Kavach authentication tool as a cover to deliver the Poseidon payload. Kavach is a two-factor authentication (2FA) solution provided by the Indian government for secure access to their email services. Transparent Tribe created a backdoored version of Kavach to target Linux users working for Indian government agencies. When a user interacts with the malicious version of Kavach, the genuine login page is displayed to distract them. Meanwhile, the payload is downloaded in the background, compromising the user's system.

Malvertising

The malvertising aspect of APT-36 group has not been previously documented, so in this blog Analysts will shed some light on how the threat actor lures Indian government users to download backdoored Kavach multi-factor authentication (MFA) applications.

I have tried put in apt config Acquire::http::proxy, and in Network>Network proxy with and without user:password@server:port and using environment variables http_proxy and https_proxy. Nothing seems to work, not even a single proxy authentication popup window.

In the dash button, select the "Network" option. In the network configuration screen you should select "network proxy" > "manual", type your proxy data and finally "Apply to all system". If authentication is required, the login screen will appear.

Pivoting further, we can see that the function prparingsiej() is parsing data from the tng() class. This class contains a single IP address (155.133.23[.]244) and three ports (3309,3310,3311) that are used by the previous function to establish and exfiltrate the kavach.db file. The IP address hard coded into the binary file is the same used to download the file from the original JScript code. It would appear that the ports are chosen at random by called functions.

Other binary files containing very similar code were also discovered being leveraged by the same group. This year alone we were able to find nine unique samples used by the threat actors this year alone. The primary function of each of the .exe files was to act as a RAT. In this particular case, mm1.exe also functions as a RAT with the added functionality of looking for the MFA db file, kavach.db on carefully selected targets. Additional binary file names and hashes are listed at the end of the article.

Overall, it is clear that this is a very targeted attack towards the Indian government. We know that the binary file mm1.exe is looking for a very particular database file (kavach.db) which means that the attacker had inside knowledge as to their intended target. Some of this knowledge includes its security controls, such as which MFA client was being used by employees.

If you're using IAS as your Radius server for authentication, you see this behavior on the IAS server. If you're using Routing and Remote Access, and Routing and Remote Access is configured for Windows Authentication (not Radius authentication), you see this behavior on the Routing and Remote Access server.

Talos observed the use of downloader executables containing different lures related to the Indian government. Themes included topics related to COVID-19, resumes and installers for government applications, such as the Kavach multi-factor authentication (MFA) application.

While applications write to the LoginContext Application Programming Interface (API), authentication technology providers implement the LoginModule interface. A Configuration specifies the LoginModule(s) to be used with a particular login application. Different LoginModules can be plugged in under the application without requiring any modifications to the application itself.

The Subject represents the user or service currently being authenticated and is updated by a LoginModule with relevant Interface Principal and credentials if authentication succeeds. LoginModules use the CallbackHandler to communicate with users (to prompt for user names and passwords, for example), as described in the login method description. Note that the CallbackHandler may be null. A LoginModule that requires a CallbackHandler to authenticate the Subject may throw a LoginException if it was initialized with a null CallbackHandler. LoginModules optionally use the shared state to share information or data among themselves.

The calling application sees the authentication process as a single operation invoked via a call to the LoginContext's login method. However, the authentication process within each LoginModule proceeds in two distinct phases. In the first phase of authentication, the LoginContext's login method invokes the login method of each LoginModule specified in the Configuration. The login method for a LoginModule performs the actual authentication (prompting for and verifying a password for example) and saves its authentication status as private state information. Once finished, the LoginModule's login method returns true (if it succeeded) or false (if it should be ignored), or it throws a LoginException to specify a failure. In the failure case, the LoginModule must not retry the authentication or introduce delays. The responsibility of such tasks belongs to the application. If the application attempts to retry the authentication, each LoginModule's login method will be called again.

In the second phase, if the LoginContext's overall authentication succeeded (calls to the relevant required, requisite, sufficient and optional LoginModules' login methods succeeded), then the commit method for each LoginModule gets invoked. (For an explanation of the LoginModule flags required, requisite, sufficient and optional, please consult the Configuration documentation and Appendix B: Example Login Configurations in the JAAS Reference Guide.) The commit method for a LoginModule checks its privately saved state to see if its own authentication succeeded. If the overall LoginContext authentication succeeded and the LoginModule's own authentication succeeded, then the commit method associates the relevant Principals (authenticated identities) and credentials (authentication data such as cryptographic keys) with the Subject.

If the LoginContext's overall authentication failed (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules' login methods did not succeed), then the abort method for each LoginModule gets invoked. In this case, the LoginModule removes/destroys any authentication state originally saved.

The initialize method may additionally peruse the provided sharedState to determine what additional authentication state it was provided by other LoginModules, and may also traverse through the provided options to determine what configuration options were specified to affect the LoginModule's behavior. It may save option values in variables for future use.

This method implementation should perform the actual authentication. For example, it may cause prompting for a user name and password, and then attempt to verify the password against a password database. Another example implementation may inform the user to insert their finger into a fingerprint reader, and then match the input fingerprint against a fingerprint database.

The authentication process may also involve communication over a network. For example, if this method implementation performs the equivalent of a kinit in Kerberos, then it would need to contact the KDC. If a password database entry itself resides in a remote naming service, then that naming service needs to be contacted, perhaps via the Java Naming and Directory Interface (JNDI). Implementations might also interact with an underlying operating system. For example, if a user has already logged into an operating system like Solaris, Linux, macOS, or Windows NT, this method might simply import the underlying operating system's identity information. 006ab0faaa