A spear-phishing marketing campaign focusing on Indian authorities entities goals to deploy an up to date model of a backdoor known as ReverseRAT.
Cybersecurity agency ThreatMon attributed the exercise to a menace actor tracked as SideCopy.
SideCopy is a menace group of Pakistani origin that shares overlaps with one other actor known as Clear Tribe. It’s so named for mimicking the an infection chains related to SideWinder to ship its personal malware.
The adversarial crew was first noticed delivering ReverseRAT in 2021, when Lumen’s Black Lotus Labs detailed a set of assaults focusing on victims aligned with the federal government and energy utility verticals in India and Afghanistan.
Latest assault campaigns related to SideCopy have primarily set their sights on a two-factor authentication resolution often called Kavach (which means “armor” in Hindi) that is utilized by Indian authorities officers.
The an infection journey documented by ThreatMon commences with a phishing e mail containing a macro-enabled Phrase doc (“Cyber Advisory 2023.docm”).
The file masquerades as a faux advisory from India’s Ministry of Communications about “Android Threats and Preventions.” That mentioned, many of the content material has been copied verbatim from an precise alert printed by the division in July 2020 about finest cybersecurity practices.
As soon as the file is opened and macros are enabled, it triggers the execution of malicious code that results in the deployment of ReverseRAT on the compromised system.
“As soon as ReverseRAT good points persistence, it enumerates the sufferer’s system, collects knowledge, encrypts it utilizing RC4, and sends it to the command-and-control (C2) server,” the corporate mentioned in a report printed final week.
“It waits for instructions to execute on the goal machine, and a few of its capabilities embrace taking screenshots, downloading and executing information, and importing information to the C2 server.”