#FactCheck - Viral Video of Argentina Football Team Dancing to Bhojpuri Song is Misleading

Introduction 

The world has been witnessing various advancements in cyberspace, and one of the major changes is the speed with which we gain and share information. Cyberspace has been declared as the fifth dimension of warfare, and hence, the influence of technology will go a long way in safeguarding ourselves and our nation. Information plays a vital role in this scenario, and due to the easy access to information, the instances of misinformation and disinformation have been rampant across the globe. In the recent Russia-Ukraine crisis, it was clearly seen how instances of misinformation can lead to major loss and harm to a nation and its subjects. All nations and global leaders are deliberating upon this aspect and efficient sharing of information among friendly nations and inter-government organisations. 

‍

What is IW? 

IW, also known as Information warfare, is a critical aspect of defending our cyberspace. Information Warfare, in its broadest sense, is a struggle over the information and communications process, a struggle that began with the advent of human communication and conflict. Over the past few decades, the rapid rise in information and communication technologies and their increasing prevalence in our society has revolutionised the communications process and, with it, the significance and implications of information warfare. Information warfare is the application of destructive force on a large scale against information assets and systems, against the computers and networks that support the four critical infrastructures (the power grid, communications, financial, and transportation). However, protecting against computer intrusion, even on a smaller scale, is in the national security interests of the country and is important in the current discussion about information warfare.

‍

IW in India 

The aspects of misinformation have been recently seen in India in the form of the violence in Manipur and Nuh, which resulted in a massive loss of property and even human lives. A lot of miscreants or anti-national elements often seed misinformation in our daily news feed, and this is often magnified by social media platforms such as Instagram or X (formerly known as Twitter) and OTT-based messaging applications like WhatsApp or Telegram during the pandemic. It was seen nearly every week that some or the other new ways to treat COVID-19 were shared on Social media, which were false and inaccurate, especially in regard to the vaccination drive. A lot of posts and messages highlighted that the Vaccine is not safe, but a lot of this was a part of misinformation propaganda. Most of the time, the speed of spread of such episodes of misinformation is rapid and is often spread by the use of social media platforms and OTT messaging applications. 

‍

IW and Indian Army

Former Meta employees have recently come up with allegations that the Chinar Corp of the Indian Army had approached the social media giant to suppress some pages and channels which propagated content that may be objectionable. It is alleged that the formation made such a request to propagate its counterintelligence operations against Pakistan. The Chinar Corps is one of the most prestigious formations of the Indian Army and has the operational area of Kashmir Valley. The instances of online grooming and brainwashing have been common from the anti-national elements of Pakistan, as a faction of youth has been engaged in terrorist activities directly or indirectly. Various messaging and social media apps are used by the bad actors to lure in innocent youth on the fake and fabricated pretext of religion or any other social issue. The Indian Army had launched an anti-misinformation campaign in Kashmir, which aimed to protect Kashmiris from the propaganda of fake news and misinformation, which often led to radicalisation or even riots or attacks on defence forces. The aspect of net neutrality is often misused by bad actors in areas which are sociological, critical or unstable. The Indian Army has created special offices focusing on IW at all levels of formations, and the same is also used to eradicate all or any fake news or fake propaganda against the Indian Army. 

‍

Conclusion

Information has always been a source of power since the days of the Roman Empire. Control, dissemination, moderation and mode of sharing of information plays a vital role for any nation both in term of safety from external threats and to maintain National Security. Information Warfare is part of the 5th dimension of warfare, i.e., Cyberwar and is a growing concern for developed as well as developing nations. Information warfare is a critical aspect which needs to be incorporated in terms of basic training for defence personnel and law enforcement agencies. The anti-misinformation operation in Kashmir was primarily focused towards eradicating the bad elements after repealing Article 377,  from cyberspace and ensuring harmony, peace, stability and prosperity in the state.    

‍

References 

• https://irp.fas.org/eprint/snyder/infowarfare.htm
• https://www.thehindu.com/news/national/metas-india-team-delayed-action-against-army-led-misinfo-op-in-kashmir-us-news-report/article67352470.ece
• https://www.indiatoday.in/india/story/facebook-instagram-block-handles-of-chinar-corps-no-response-from-company-over-a-week-says-officials-1910445-2022-02-08

‍

Executive Summary:

Footage of the Afghanistan cricket team singing ‘Vande Mataram’ after India’s triumph in ICC T20 WC 2024 exposed online.  The CyberPeace Research team carried out a thorough research to uncover the truth about the viral video. The original clip was posted on X platform by Afghan cricketer Mohammad Nabi on October 23, 2023 where the Afghan players posted the video chanting  ‘Allah-hu Akbar’ after winning the ODIs in the World Cup against Pakistan. This debunks the assertion made in the viral video about the people chanting Vande Mataram.

‍

‍

Claims:

Afghan cricket players chanted "Vande Mataram" to express support for India after India’s victory over Australia in the ICC T20 World Cup 2024.

Fact Check:

Upon receiving the posts, we analyzed the video and found some inconsistency in the video such as the lip sync of the video. 

We checked the video in an AI audio detection tool named “True Media”, and the detection tool found the audio to be 95% AI-generated which made us more suspicious of the authenticity of the video.

‍

For further verification, we then divided the video into keyframes. We reverse-searched one of the frames of the video to find any credible sources. We then found the X account of Afghan cricketer Mohammad Nabi, where  he uploaded the same video in his account with a caption, “Congratulations! Our team emerged triumphant n an epic battle against ending a long-awaited victory drought. It was a true test of skills & teamwork. All showcased thr immense tlnt & unwavering dedication. Let's celebrate ds 2gether n d glory of our great team & people” on 23 Oct, 2023.

We found that the audio is different from the viral video, where we can hear Afghan players chanting “Allah hu Akbar” in their victory against Pakistan. The Afghan players were not chanting Vande Mataram after India’s victory over Australia in T20 World Cup 2014.

Hence, upon lack of credible sources and detection of AI voice alteration, the claim made in the viral posts is fake and doesn’t represent the actual context. We have previously debunked such AI voice alteration videos. Netizens must be careful before believing misleading information.

Conclusion:

The viral video claiming that Afghan cricket players chanted "Vande Mataram" in support of India is false. The video was altered from the original video by using audio manipulation.  The original video of Afghanistan players celebrating victory over Pakistan by chanting "Allah-hu Akbar" was posted in the official Instagram account of Mohammad Nabi, an Afghan cricketer. Thus the information is fake and misleading.

• Claim: Afghan cricket players chanted "Vande Mataram" to express support for India after the victory over Australia in the ICC T20 World Cup 2024.
• Claimed on: YouTube
• Fact Check: Fake & Misleading

‍

Introduction

Recently the attackers employed the CVE-2017-0199 vulnerability in Microsoft Office to deliver a fileless form of the Remcos RAT. The Remcos RAT makes the attacker have full control of the systems that have been infected by this malware. This research will give a detailed technical description of the identified vulnerability, attack vector, and tactics together with the practical steps to counter the identified risks.

The Targeted Malware: Remcos RAT

Remcos RAT (Remote Control & Surveillance) is a commercially available remote access tool designed for legitimate administrative use. However, it has been widely adopted by cybercriminals for its stealth and extensive control capabilities, enabling:

• System control and monitoring
• Keylogging
• Data exfiltration
• Execution of arbitrary commands

The fileless variant utilised in this campaign makes detection even more challenging by running entirely in system memory, leaving minimal forensic traces.

Attack Vector: Phishing with Malicious Excel Attachments

The phishing email will be sent which appears as legitimate business communication, such as a purchase order or invoice. This email contains an Excel attachment that is weaponized to exploit the CVE-2017-0199 vulnerability.

Technical Analysis: CVE-2017-0199 Exploitation

Vulnerability Assessment

• CVE-2017-0199 is a Remote Code Execution (RCE) vulnerability in Microsoft Office which uses Object Linking and Embedding (OLE) objects.
• Affected Components:some text
  • Microsoft Word
  • Microsoft Excel
  • WordPad
• CVSS Score: 7.8 (High Severity)

Mechanism of Exploitation

The vulnerability enables attackers to craft a malicious document when opened, it fetches and executes an external payload via an HTML Application (HTA) file. The execution process occurs without requiring user interaction beyond opening the document.

Detailed Exploitation Steps

1. Phishing Email and Malicious Document some text
   • The email contains an Excel file designed to make use of CVE-2017-0199.
   • When the email gets opened, the document automatically connects to a remote server (e.g., 192.3.220[.]22) to download an HTA file (cookienetbookinetcache.hta).
2. Execution via mshta.exe some text
   • The downloaded HTA file is executed using mshta.exe, a legitimate Windows process for running HTML Applications.
   • This execution is seamless and does not prompt the user, making the attack stealthy.
3. Multi-Layer Obfuscation some text
   • The HTA file is wrapped in several layers of scripting, including: some text
     • JavaScript
     • VBScript
     • PowerShell
   • This obfuscation helps evade static analysis by traditional antivirus solutions.
4. Fileless Payload Deployment some text
   • The downloaded executable leverages process hollowing to inject malicious code into legitimate system processes.
   • The Remcos RAT payload is loaded directly into memory, avoiding the creation of files on disk.

Fileless Malware Techniques

1. Process Hollowing
The attack replaces the memory of a legitimate process (e.g., explorer.exe) with the malicious Remcos RAT payload. This allows the malware to:

• Evade detection by blending into normal system activity.
• Run with the privileges of the hijacked process.

2. Anti-Analysis Techniques

• Anti-Debugging: Detects the presence of debugging tools and terminates malicious processes if found.
• Anti-VM and Sandbox Evasion: Ensures execution only on real systems to avoid detection during security analysis.

3. In-Memory Execution

• By running entirely in system memory, the malware avoids leaving artifacts on the disk, making forensic analysis and detection more challenging.

Capabilities of Remcos RAT

Once deployed, Remcos RAT provides attackers with a comprehensive suite of functionalities, including:

• Data Exfiltration: some text
  • Stealing system information, files, and credentials.
• Remote Execution: some text
  • Running arbitrary commands, scripts, and additional payloads.
• Surveillance: some text
  • Enabling the camera and microphone.
  • Capturing screen activity and clipboard contents.
• System Manipulation: some text
  • Modifying Windows Registry entries.
  • Controlling system services and processes.
  • Disabling user input devices (keyboard and mouse).

Advanced Phishing Techniques in Parallel Campaigns

1. DocuSign Abuse
Attackers exploit legitimate DocuSign APIs to create authentic-looking phishing invoices. These invoices can trick users into authorising payments or signing malicious documents, bypassing traditional email security systems.

2. ZIP File Concatenation
By appending multiple ZIP archives into a single file, attackers exploit inconsistencies in how different tools handle these files. This allows them to embed malware that evades detection by certain archive managers.

Broader Implications of Fileless Malware

Fileless malware like Remcos RAT poses significant challenges:

• Detection Difficulties: Traditional signature-based antivirus systems struggle to detect fileless malware, as there are no static files to scan.
• Forensic Limitations: The lack of disk artifacts complicates post-incident analysis, making it harder to trace the attack's origin and scope.
• Increased Sophistication: These campaigns demonstrate the growing technical prowess of cybercriminals, leveraging legitimate tools and services for malicious purposes.

Mitigation Strategies

1. Patch Management some text
   • It is important to regularly update software to address known vulnerabilities like CVE-2017-0199. Microsoft released a patch for this vulnerability in April 2017.
2. Advanced Email Security some text
   • It is important to implement email filtering solutions that can detect phishing attempts, even those using legitimate services like DocuSign.
3. Endpoint Detection and Response (EDR)some text
   • Always use EDR solutions to monitor for suspicious behavior, such as unauthorized use of mshta.exe or process hollowing.
4. User Awareness and Training some text
   • Educate users about phishing techniques and the risks of opening unexpected attachments.
5. Behavioral Analysis some text
   • Deploy security solutions capable of detecting anomalous activity, even if no malicious files are present.

Conclusion

The attack via CVE-2017-0199 further led to the injection of a new fileless variant of Remcos RAT, proving how threats are getting more and more sophisticated. Thanks to the improved obfuscation and the lack of files, the attackers eliminate all traditional antiviral protection and gain full control over the infected computers. It is real and organisations have to make sure that they apply patches on time, that they build better technologies for detection and that the users themselves are more wary of the threats.

References

• Fortinet FortiGuard Labs: Analysis by Xiaopeng Zhang
• Perception Point: Research on ZIP File Concatenation
• Wallarm: DocuSign Phishing Analysis
• Microsoft Security Advisory: CVE-2017-0199

‍