In a concerning development, the Pakistan-linked threat actor known as SideCopy has been observed exploiting a recent vulnerability in WinRAR, unleashing targeted attacks aimed at Indian government entities. These sophisticated attacks aim to infiltrate critical systems and deliver a range of potent remote access trojans, including AllaKore RAT, Ares RAT, and DRat.
Security firm SEQRITE has closely examined this campaign, identifying it as multi-platform in nature. These attacks not only threaten Windows-based systems but also have the capability to infiltrate Linux systems with a compatible version of Ares RAT.
SideCopy, active since at least 2019, has garnered notoriety for its relentless targeting of Indian and Afghan entities. It is believed to be an affiliate of the notorious Transparent Tribe (also known as APT36) actor.
SEQRITE researcher Sathwik Ram Prakki highlighted the shared infrastructure and code between SideCopy and APT36, emphasizing their aggressive pursuit of targets within India.
The threat actor was recently linked to a phishing campaign that utilized lures associated with India's Defense Research and Development Organization (DRDO). This campaign aimed to deliver malware designed to steal sensitive information.
Subsequently, SideCopy was implicated in a series of phishing attacks targeting the Indian defense sector. These attacks leveraged ZIP archive attachments to distribute the Action RAT and introduced a new .NET-based trojan supporting 18 different commands.
The recent phishing campaigns unearthed by SEQRITE comprise two distinct attack chains, each specifically targeting Linux and Windows operating systems.
The Linux-focused campaign leverages a Golang-based ELF binary to introduce a Linux-compatible version of Ares RAT. This RAT is equipped with various capabilities, including file enumeration, screenshot capture, file downloads and uploads, among others.
In contrast, the second campaign exploits CVE-2023-38831, a security flaw within the WinRAR archiving tool. This flaw is used to execute malicious code, leading to the deployment of AllaKore RAT, Ares RAT, and two new trojans: DRat and Key RAT.
AllaKore RAT is designed to steal system information, engage in keylogging, capture screenshots, and facilitate the upload and download of files. It also enables remote access to the victim's system, allowing for command execution and data transmission to a command-and-control (C2) server.
DRat, on the other hand, is capable of interpreting as many as 13 commands from the C2 server, involving tasks such as gathering system data, downloading and executing additional payloads, and conducting various file operations.
The choice to target Linux systems is not arbitrary and is potentially linked to India's strategic decision to transition government and defense sectors from Microsoft Windows to a Linux variant known as Maya OS.
In summary, SideCopy's relentless pursuit of zero-day vulnerabilities and continuous expansion of its arsenal is a cause for concern, particularly as it consistently targets Indian defense organizations with various remote access trojans. The collaboration between APT36 and SideCopy underscores the need for heightened vigilance and enhanced cybersecurity measures in the face of these evolving threats.
Comments