SideCopy, the Pakistani-based threat actor, has been using the WinRAR vulnerability (CVE-2023-38831) to target Indian government entities for delivering multiple RATs (Remote Access Trojans) like AllaKore RAT, Ares RAT, and DRat.
The threat actor has been observed to have conducted concurrent campaigns every month, according to reports. Recent campaigns showed that there were additional stages of exploitation used, which involved a . NET-based RAT called “Double Action RAT.”
SideCopy is found to be linked with the Transparent Tribe (APT-36), which targeted the Indian Military and recruited university students for terrorist groups. Additionally, this threat actor has been active since 2013; their Linux malware arsenal has been updated with Poseidon and other utilities.
As per reports submitted to Cyber Security News, their first campaign was conducted through a phishing link that downloads an archive that consists of a decoy document called “ACR.pdf” or “ACR_ICR_ECR_Form_for_Endorsement_New_Policy.pdf” that was related to NSRO.
Furthermore, there were two types of next stages, such as an LNK file merged inside the PDF that triggered a remote HTA file on a compromised domain. The next stages of this campaign were to check the .NET version, fetch the AV installed, decode, and run the DLL in memory.
There were two shortcut files in a double extension format under the name “Homosexuality – Indian Armed Forces ․pdf.lnk”. However, there were two embedded base64 encoded files, one decoy PDF, and a DLL. When the decoy file is opened, it downloads another HTA, whereas the final DLL points to the target.
The new HTA is saved as “seqrite.jpg” in the TEMP folder, which later executes the final DLL payload that depends upon the AV present. For persistence, this payload is added to the registry key or Startup.
Additionally, their target scope has a large number of Linux-based malware, which was due to the recent Indian government’s announcement for replacing Microsoft Windows with Maya OS (Linux flavor) in government as well as defense sectors.
A complete report has been published by SEQRITE, which provides detailed information about this threat actor, the malware, and other information.
For a comprehensive list of potential signs that a system has been breached or compromised, please refer to the Indicators of Compromise document available at the provided source.
Secures your storage & backup systems With StorageGuard – Watch a 40-second Video Tour.
APT24, a sophisticated cyber espionage group linked to China's People's Republic, has launched a relentless…
The Cl0p ransomware group has claimed responsibility for infiltrating Broadcom's internal systems as part of…
Grafana Labs has disclosed a critical security vulnerability affecting Grafana Enterprise that could allow attackers…
A critical security vulnerability has been discovered in ASUSTOR backup and synchronization software, allowing attackers…
Microsoft has introduced a practical new feature in Windows 11 designed specifically for public-facing monitors…
SonicWall has disclosed a critical stack-based buffer overflow vulnerability in its SonicOS SSLVPN service. That…