SideCopy, the Pakistani-based threat actor, has been using the WinRAR vulnerability (CVE-2023-38831) to target Indian government entities for delivering multiple RATs (Remote Access Trojans) like AllaKore RAT, Ares RAT, and DRat.
The threat actor has been observed to have conducted concurrent campaigns every month, according to reports. Recent campaigns showed that there were additional stages of exploitation used, which involved a . NET-based RAT called “Double Action RAT.”
Sub-division of APT36 and Campaigns
SideCopy is found to be linked with the Transparent Tribe (APT-36), which targeted the Indian Military and recruited university students for terrorist groups. Additionally, this threat actor has been active since 2013; their Linux malware arsenal has been updated with Poseidon and other utilities.
As per reports submitted to Cyber Security News, their first campaign was conducted through a phishing link that downloads an archive that consists of a decoy document called “ACR.pdf” or “ACR_ICR_ECR_Form_for_Endorsement_New_Policy.pdf” that was related to NSRO.
Furthermore, there were two types of next stages, such as an LNK file merged inside the PDF that triggered a remote HTA file on a compromised domain. The next stages of this campaign were to check the .NET version, fetch the AV installed, decode, and run the DLL in memory.
Ares RAT Delivery
There were two shortcut files in a double extension format under the name “Homosexuality – Indian Armed Forces ․pdf.lnk”. However, there were two embedded base64 encoded files, one decoy PDF, and a DLL. When the decoy file is opened, it downloads another HTA, whereas the final DLL points to the target.
The new HTA is saved as “seqrite.jpg” in the TEMP folder, which later executes the final DLL payload that depends upon the AV present. For persistence, this payload is added to the registry key or Startup.
Additionally, their target scope has a large number of Linux-based malware, which was due to the recent Indian government’s announcement for replacing Microsoft Windows with Maya OS (Linux flavor) in government as well as defense sectors.
A complete report has been published by SEQRITE, which provides detailed information about this threat actor, the malware, and other information.
IOCs
For a comprehensive list of potential signs that a system has been breached or compromised, please refer to the Indicators of Compromise document available at the provided source.
Secures your storage & backup systems With StorageGuard – Watch a 40-second Video Tour.