#FactCheck: Debunking the Edited Image Claim of PM Modi with Hafiz Saeed

Executive Summary:

A video gone viral on Facebook claims Union Finance Minister Nirmala Sitharaman endorsed the government’s new investment project.  The video has been widely shared. However, our research indicates that the video has been AI altered and is being used to spread misinformation.

‍

Claim: 

‍

The claim in this video suggests that Finance Minister Nirmala Sitharaman is endorsing an automotive system that promises daily earnings of ₹15,00,000 with an initial investment of ₹21,000.

‍

Fact Check:

‍

To check the genuineness of the claim, we used the keyword search for “Nirmala Sitharaman investment program” but we haven’t found any investment related scheme. We observed that the lip movements appeared unnatural and did not align perfectly with the speech, leading us to suspect that the video may have been AI-manipulated.

When we reverse searched the video which led us to this DD News live-stream of Sitharaman’s press conference after presenting the Union Budget on February 1, 2025. Sitharaman never mentioned any investment or trading platform during the press conference, showing that the viral video was digitally altered. Technical analysis using Hive moderator further found that the viral clip is Manipulated by voice cloning.

‍

Conclusion:

The viral video on social media shows Union Finance Minister Nirmala Sitharaman endorsing the government’s new investment project as completely voice cloned, manipulated and false. This highlights the risk of online manipulation, making it crucial to verify news with credible sources before sharing it. With the growing risk of AI-generated misinformation, promoting media literacy is essential in the fight against false information.

• Claim: Fake video falsely claims FM Nirmala Sitharaman endorsed an investment scheme.
• Claimed On: Social Media
• Fact Check: False and Misleading 

‍

Introduction

Recently the attackers employed the CVE-2017-0199 vulnerability in Microsoft Office to deliver a fileless form of the Remcos RAT. The Remcos RAT makes the attacker have full control of the systems that have been infected by this malware. This research will give a detailed technical description of the identified vulnerability, attack vector, and tactics together with the practical steps to counter the identified risks.

The Targeted Malware: Remcos RAT

Remcos RAT (Remote Control & Surveillance) is a commercially available remote access tool designed for legitimate administrative use. However, it has been widely adopted by cybercriminals for its stealth and extensive control capabilities, enabling:

• System control and monitoring
• Keylogging
• Data exfiltration
• Execution of arbitrary commands

The fileless variant utilised in this campaign makes detection even more challenging by running entirely in system memory, leaving minimal forensic traces.

Attack Vector: Phishing with Malicious Excel Attachments

The phishing email will be sent which appears as legitimate business communication, such as a purchase order or invoice. This email contains an Excel attachment that is weaponized to exploit the CVE-2017-0199 vulnerability.

Technical Analysis: CVE-2017-0199 Exploitation

Vulnerability Assessment

• CVE-2017-0199 is a Remote Code Execution (RCE) vulnerability in Microsoft Office which uses Object Linking and Embedding (OLE) objects.
• Affected Components:some text
  • Microsoft Word
  • Microsoft Excel
  • WordPad
• CVSS Score: 7.8 (High Severity)

Mechanism of Exploitation

The vulnerability enables attackers to craft a malicious document when opened, it fetches and executes an external payload via an HTML Application (HTA) file. The execution process occurs without requiring user interaction beyond opening the document.

Detailed Exploitation Steps

1. Phishing Email and Malicious Document some text
   • The email contains an Excel file designed to make use of CVE-2017-0199.
   • When the email gets opened, the document automatically connects to a remote server (e.g., 192.3.220[.]22) to download an HTA file (cookienetbookinetcache.hta).
2. Execution via mshta.exe some text
   • The downloaded HTA file is executed using mshta.exe, a legitimate Windows process for running HTML Applications.
   • This execution is seamless and does not prompt the user, making the attack stealthy.
3. Multi-Layer Obfuscation some text
   • The HTA file is wrapped in several layers of scripting, including: some text
     • JavaScript
     • VBScript
     • PowerShell
   • This obfuscation helps evade static analysis by traditional antivirus solutions.
4. Fileless Payload Deployment some text
   • The downloaded executable leverages process hollowing to inject malicious code into legitimate system processes.
   • The Remcos RAT payload is loaded directly into memory, avoiding the creation of files on disk.

Fileless Malware Techniques

1. Process Hollowing
The attack replaces the memory of a legitimate process (e.g., explorer.exe) with the malicious Remcos RAT payload. This allows the malware to:

• Evade detection by blending into normal system activity.
• Run with the privileges of the hijacked process.

2. Anti-Analysis Techniques

• Anti-Debugging: Detects the presence of debugging tools and terminates malicious processes if found.
• Anti-VM and Sandbox Evasion: Ensures execution only on real systems to avoid detection during security analysis.

3. In-Memory Execution

• By running entirely in system memory, the malware avoids leaving artifacts on the disk, making forensic analysis and detection more challenging.

Capabilities of Remcos RAT

Once deployed, Remcos RAT provides attackers with a comprehensive suite of functionalities, including:

• Data Exfiltration: some text
  • Stealing system information, files, and credentials.
• Remote Execution: some text
  • Running arbitrary commands, scripts, and additional payloads.
• Surveillance: some text
  • Enabling the camera and microphone.
  • Capturing screen activity and clipboard contents.
• System Manipulation: some text
  • Modifying Windows Registry entries.
  • Controlling system services and processes.
  • Disabling user input devices (keyboard and mouse).

Advanced Phishing Techniques in Parallel Campaigns

1. DocuSign Abuse
Attackers exploit legitimate DocuSign APIs to create authentic-looking phishing invoices. These invoices can trick users into authorising payments or signing malicious documents, bypassing traditional email security systems.

2. ZIP File Concatenation
By appending multiple ZIP archives into a single file, attackers exploit inconsistencies in how different tools handle these files. This allows them to embed malware that evades detection by certain archive managers.

Broader Implications of Fileless Malware

Fileless malware like Remcos RAT poses significant challenges:

• Detection Difficulties: Traditional signature-based antivirus systems struggle to detect fileless malware, as there are no static files to scan.
• Forensic Limitations: The lack of disk artifacts complicates post-incident analysis, making it harder to trace the attack's origin and scope.
• Increased Sophistication: These campaigns demonstrate the growing technical prowess of cybercriminals, leveraging legitimate tools and services for malicious purposes.

Mitigation Strategies

1. Patch Management some text
   • It is important to regularly update software to address known vulnerabilities like CVE-2017-0199. Microsoft released a patch for this vulnerability in April 2017.
2. Advanced Email Security some text
   • It is important to implement email filtering solutions that can detect phishing attempts, even those using legitimate services like DocuSign.
3. Endpoint Detection and Response (EDR)some text
   • Always use EDR solutions to monitor for suspicious behavior, such as unauthorized use of mshta.exe or process hollowing.
4. User Awareness and Training some text
   • Educate users about phishing techniques and the risks of opening unexpected attachments.
5. Behavioral Analysis some text
   • Deploy security solutions capable of detecting anomalous activity, even if no malicious files are present.

Conclusion

The attack via CVE-2017-0199 further led to the injection of a new fileless variant of Remcos RAT, proving how threats are getting more and more sophisticated. Thanks to the improved obfuscation and the lack of files, the attackers eliminate all traditional antiviral protection and gain full control over the infected computers. It is real and organisations have to make sure that they apply patches on time, that they build better technologies for detection and that the users themselves are more wary of the threats.

References

• Fortinet FortiGuard Labs: Analysis by Xiaopeng Zhang
• Perception Point: Research on ZIP File Concatenation
• Wallarm: DocuSign Phishing Analysis
• Microsoft Security Advisory: CVE-2017-0199

‍

Introduction

Misinformation spreads faster than a pimple before your best friend's wedding, and these viral skincare hacks on social media can do more harm than good if smeared on without a second thought. The unverified skin care tips, exaggerated results, and product endorsements lacking proper dermatological backing can often lead to breakouts and serious damage. 

The Allure and Risks of Online Skincare Trends

In the age of social media, beauty advice is easily accessible, but not all trending skincare hacks are beneficial. Influencers lacking professional dermatological knowledge often endorse "medical grade" skincare products, which may not be suitable for all skin types. The viral DIY skincare hacks, such as natural remedies like multani mitti (Fuller's earth), have found a new audience online. However, suppose such skincare tips are approached without due care and caution regarding their suitability for different skin types, or without the proper formulation of ingredients. In that case, they can result in skin problems. It is crucial to approach online skincare advice with a critical eye, as not all trends are backed by scientific research. 

CyberPeace Recommendations 

1. Influencer Responsibility and Ethical Endorsements in Skincare

Influencers play a crucial role in shaping public perception in the skincare and lifestyle industries. However, they must exercise due diligence before endorsing skincare products or practices, as misinformation can lead to financial loss and health consequences. Influencers should only promote products they have personally tested or vetted by dermatologists or skincare professionals. They should also research the brand's credibility, check ingredients for safety, and understand the product's target audience.

2. Strengthening Digital Literacy in Skincare Spaces

CyberPeace highlights that improving digital literacy is one of the best strategies to stop the spread of false information about skincare. Users nowadays, particularly young people, are continuously exposed to a deluge of wellness and beauty-related content. Many people are duped by overstated claims, pseudoscientific cures, and influencer-driven marketing masquerading as sound advice if they lack the necessary digital literacy. We recommend supporting digital literacy initiatives that teach users how to evaluate sources, think critically, and comprehend how algorithms promote content. Long-term impact is thought to be achieved through influencer partnerships, gamified learning modules, and community workshops that promote media literacy.

3. Recommendation for Users to Prioritise Research and Critical Thinking

Users should prioritise research and critical thinking when engaging with skincare content online. It's crucial to distinguish between valid advice and misinformation. Thorough research, including expert reviews, ingredient checks, and scientific sources, is essential. Questioning endorsements and relying on trusted platforms and dermatologists can help ensure a skincare routine based on sound practices.

4. Mandating Transparency from Influencers and Brands

Enforcing stronger transparency laws for influencers and skincare companies is a key suggestion. Social media influencers frequently neglect to reveal sponsored collaborations or paid advertisements, giving followers the impression that the skincare advice is based on the creators' own experience and objective judgment. This dishonest practice frequently promotes goods with little to no scientific support and feeds false information. The social media companies need to be proactive in identifying and removing content that violates disclosure and advertising guidelines.

5. Creating a Verified Registry for Skincare Professionals

Increasing the voices of real experts is one of the most important strategies to build credibility and trust online. The establishment of a publicly available, validated registry of certified dermatologists, cosmetologists, and skincare scientists is suggested by cybersecurity experts and medical professionals. These experts could then receive a "verified expert" badge from social media companies, making it easier for users to discern between content created by unqualified people and genuine, evidence-based advice. Algorithms that promote such verified content would inevitably limit the dissemination of false information.

6. Enforcing Platform Accountability and Reporting System

There needs to be platform-level accountability and safeguard mechanisms in case of any false information about skincare. Platforms should monitor repeat offenders and implement a tiered penalty system that includes content removal and temporary or permanent bans on such malicious user profiles.

References

• https://brandequity.economictimes.indiatimes.com/amp/news/advertising/clinikally-takes-on-digital-misinformation-of-skincare-trends-in-new-ad/120485282

‍