An Advanced Persistent Threat (APT) group with a track record of targeting India and Afghanistan has been linked to a new phishing campaign delivering an Action RAT.
According to Cyble, the reason for this operation is: side copythe activity cluster is designed to target the Defense Research and Development Organization (DRDO), the research and development arm of the Indian Ministry of Defense.
Known for emulating SideWinder-related infection chains to deliver its own malware, SideCopy is a Pakistani originated threat group that overlaps with Transparent Tribe. Active since at least 2019.
The attack chain launched by this group involves using spear phishing emails to gain initial access. These messages contain a ZIP archive file containing a Windows shortcut file (.LNK) masquerading as information about the DRDO-developed K-4 ballistic missile.
Upon execution of the .LNK file, it fetches an HTML application from a remote server, displays a decoy presentation, and secretly deploys an Action RAT backdoor.
In addition to gathering information about the victim’s machine, the malware can execute commands sent by command and control (C2) servers. This includes collecting files and dropping subsequent malware.
A new information stealer called AuTo Stealer has also been deployed with the ability to collect and steal Microsoft Office files, PDF documents, databases and text files, and images over HTTP or TCP.
“The APT Group is continually evolving its technology while incorporating new tools into its arsenal,” said Cyble.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
This is not the first time SideCopy has used an Action RAT in an attack against India. In December 2021, Malwarebytes revealed a series of intrusions that compromised shared computers of many Afghan ministries and the Indian government to steal sensitive credentials.
The latest findings arrive a month after the discovery of a hostile crew targeting Indian government agencies using a remote access Trojan called ReverseRAT.
