A threat actor suspected of working with Pakistan, known as side copy As part of an ongoing phishing campaign, it has been observed utilizing themes related to Indian military research organizations.
This involves using ZIP archive lures associated with India’s Defense Research and Development Organization (DRDO) to deliver malicious payloads that can gather sensitive information, Fortinet FortiGuard Labs reports in a new report. said in
Active in at least 2019, this cyber espionage group targets organizations that serve the interests of the Pakistani government. It is believed to be a duplicate of another Pakistani hacking crew called the Transparent Tribe.
SideCopy’s use of DRDO-related decoys for malware distribution was flagged by Cyble and Chinese cybersecurity firm QiAnXin in March 2023, and again by Team Cymru last month.
Interestingly, the same attack chain has been observed to load and execute open source remote access Trojans known as Action RAT and AllaKore RAT.
The latest infection sequence documented by Fortinet is no exception, leading to the deployment of an unidentified RAT variant capable of communicating with remote servers and launching additional payloads.
This deployment shows that SideCopy continues to carry out spear-phishing email attacks. The attack uses social engineering lures related to the Indian government and Defense Forces to drop a variety of malware.
 |
| Source: Team Wales |
A detailed analysis of Action RAT’s command and control (C2) infrastructure by Team Cymru identified an outbound connection from one of the C2 server’s IP addresses to another, 66.219.22.[.]252, which is located in Pakistan.
The cybersecurity firm also said it observed “communications originating from 17 different IPs assigned to mobile providers in Pakistan and four Proton VPN nodes,” adding IP addresses from IP addresses assigned to ISPs in India. We focused on inbound connections to .
Learn how to stop ransomware with real-time protection
Join our webinar to learn how real-time MFA and service account protection can stop ransomware attacks.
Save my seat!
Overall, as many as 18 different victims were detected connecting to C2 servers associated with the Action RAT in India, and 236 unique victims were again in India and C2 associated with the AllaKore RAT. A connection to a server has been detected.
The latest findings lend credence to SideCopy’s link to Pakistan, not to mention highlighting the fact that the campaign was successful in targeting users in India.
“The SideCopy-connected Action RAT infrastructure is managed by users accessing the Internet from Pakistan,” said Team Cymru. “Victims’ activities preceded public reporting of this campaign, in some cases months.”
