A spear-phishing marketing campaign focusing on Indian authorities entities goals to deploy an up to date model of a backdoor known as ReverseRAT.
Cybersecurity agency ThreatMon attributed the exercise to a risk actor tracked as SideCopy.
SideCopy is a risk group of Pakistani origin that shares overlaps with one other actor known as Transparent Tribe. It is so named for mimicking the an infection chains related to SideWinder to ship its personal malware.
The adversarial crew was first noticed delivering ReverseRAT in 2021, when Lumen’s Black Lotus Labs detailed a set of assaults focusing on victims aligned with the federal government and energy utility verticals in India and Afghanistan.
Recent assault campaigns related to SideCopy have primarily set their sights on a two-factor authentication answer generally known as Kavach (which means “armor” in Hindi) that is utilized by Indian authorities officers.
The an infection journey documented by ThreatMon commences with a phishing e mail containing a macro-enabled Word doc (“Cyber Advisory 2023.docm”).
The file masquerades as a pretend advisory from India’s Ministry of Communications about “Android Threats and Preventions.” That mentioned, a lot of the content material has been copied verbatim from an precise alert revealed by the division in July 2020 about greatest cybersecurity practices.
Once the file is opened and macros are enabled, it triggers the execution of malicious code that results in the deployment of ReverseRAT on the compromised system.
“Once ReverseRAT beneficial properties persistence, it enumerates the sufferer’s machine, collects information, encrypts it utilizing RC4, and sends it to the command-and-control (C2) server,” the corporate mentioned in a report revealed final week.
“It waits for instructions to execute on the goal machine, and a few of its capabilities embrace taking screenshots, downloading and executing recordsdata, and importing recordsdata to the C2 server.”