A spear-phishing campaign targeting Indian government agencies aims to deploy backdoor updates. reversed.
Cybersecurity firm ThreatMon attributed this activity to a threat actor tracked as side copy.
SideCopy is a threat group from Pakistan that overlaps with another actor called the Transparent Tribe. It is so named because it mimics SideWinder-related infection chains to deliver its own malware.
In 2021, when Lumen’s Black Lotus Labs detailed a series of attacks targeting victims in coordination with the governments and power companies of India and Afghanistan, a hostile crew was seen delivering a ReverseRAT. observed for the first time.
Recent attack campaigns related to SideCopy have primarily targeted a two-factor authentication solution known as Kavach (which means “armor” in Hindi) used by Indian government officials.
The infection vector documented by ThreatMon begins with a phishing email containing a macro-enabled Word document (“Cyber Advisory 2023.docm”).
The file masquerades as a fake Ministry of Communications advisory on “Android Threats and Prevention”. That said, most of the content was copied verbatim from an actual warning issued by the ministry on cybersecurity best practices in July 2020.
When the file is opened and the macros are enabled, it triggers malicious code execution and deploys ReverseRAT on the compromised system.
“Once ReverseRAT gains persistence, it enumerates the victim’s device, collects data, encrypts it using RC4, and sends it to a command and control (C2) server,” the company said last week. said in the report.
“It waits for commands to be executed on the target machine. Its functions include taking screenshots, downloading and executing files, and uploading files to its C2 server.”
