Open source libraries used in the Mars Rover software are being abused by malware creators as part of a cyber-espionage campaign against the Indian government.

For the past years, India has been a trustworthy business partner for Afghanistan, helping the latter build its new Parliament complex, the Salma Dam, along with smaller transportation, energy, and infrastructure projects.

Because of this tight collaboration between the two, it is normal that other nations or interest groups may want to know what the two countries are planning together.

Malware targeted India's Ambassador to Afghanistan

According to Palo Alto Networks, on December 24, 2015, India's Ambassador to Afghanistan received a spear-phishing email that contained a new malware variant, which, if downloaded and installed, would have opened a backdoor on the official's computer.

The email was spoofed and made to look like it was coming from India's Defense Minister, Manohar Parrikar. Attached to the email was an RTF file.

Palo Alto researchers say that this file contained malicious code to exploit the CVE-2010-3333 Office XP vulnerability, resulting in the download of a file named "file.exe" from the newsumbrealla[.]net domain.

Trojan uses some of the Mars Rover's libraries

This file was automatically launched into execution and was a simple malware payload dropper that was tasked with downloading the real threat, a new trojan that the researchers christened Rover.

This malware was given the "Rover" name because it relied on the OpenCV and OpenAL open source libraries, both used in the software deployed with the famous Mars Rover exploration robot.

OpenCV is a library used in computer vision applications and image processing while OpenAL is a cross-platform library for working with multichannel audio data.

Rover malware is a simple yet effective threat

The Rover malware needed these two libraries because its main role was to spy on infected targets. Its capabilities included the ability to take screenshots of the desktop in BMP format and send them to the C&C server every 60 minutes, logging keystrokes and uploading the data to the C&C server every 10 seconds, and scanning for Office files and uploading them to the C&C server every 60 minutes.

Additionally, there was also a backdoor component that allowed attackers to send commands from the C&C server and tell Rover to take screenshots or start recording video (via webcam) and audio (via microphone) whenever the attacker wanted to.

"Though 'Rover' is an unsophisticated malware lacking modern malware features, it seems to be successful in bypassing traditional security systems and fulfilling the objectives of the threat actor behind the campaign in exfiltrating information from the targeted victim," Palo Alto researchers explain.

Rover is largely undetected by today's antivirus engines, and despite not coming with that many features, it is successful at keeping a low profile, exactly what cyber-espionage groups need from their malware to begin with.