New targeted phishing campaigns are expanding into solutions known as two-factor authentication solutions. Kabach It is used by Indian government officials.
Cybersecurity firm Securonix dubbed the activity. STEPPY# Kabakbased on tactical overlap with previous attacks, we attribute to a threat actor known as SideCopy.
Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a new report:
SideCopy, a hacking crew from Pakistan believed to have been active since at least 2019, is said to be associated with another actor called the Transparent Tribe (a.k.a. APT36 or Mythic Leopard).
It has also been known to spoof the attack chains used by SideWinder. SideWinder is a prolific group of nations with a disproportionate selection of Pakistan-based military organizations and a unique set of tools.
However, this is not the first time Kavach has been targeted by attackers. In July 2021, Cisco Talos detailed an espionage operation conducted to steal credentials from Indian government officials.
Since then, Kavach-themed decoy apps have been employed by Transparent Tribe in attacks targeting India since earlier this year.
The latest attack sequence that Securonix has observed over the past few weeks uses phishing emails to lure potential victims into opening a shortcut file (.LNK) and using the mshta.exe Windows utility to create a remote . Let the HTA payload run.
According to the company, the HTML application was “hosted on a potentially compromised website and nested within an obscure ‘gallery’ directory designed to store some of the site’s images. It turned out that ”
The compromised website in question is incomtaxdelhi.[.]org, the official website of the Income Tax Division of India for the Delhi region. Malicious files are no longer available on the portal.
In the next phase, executing the .HTA file will execute the obfuscated JavaScript code. This code is designed to display a decoy image file released by the Indian Ministry of Defense a year ago in December 2021.
The JavaScript code also downloads an executable from a remote server, establishes persistence by modifying the Windows registry, and reboots the machine to automatically launch the binary post startup.
The binary file acts as a backdoor that allows it to execute commands sent from an attacker-controlled domain, retrieve and execute additional payloads, take screenshots, and exfiltrate files.
The extraction component also includes an option to specifically search for the database file (“kavach.db”) created by the Kavach app on your system to store your credentials.
The aforementioned infection chain is disclosed MalwareHunterTeam referred to the remote access Trojan as MargulasRAT in a series of tweets dated December 8, 2022.
“Based on correlation data from binary samples taken from RATs used by threat actors, this campaign is directed against targets in India that went undetected last year,” said the researchers.
