The threat actor with ties to Pakistan, SideCopy, has been seen using the WinRAR security flaw in its assaults against Indian government institutions to spread trojans that provide remote access, including DRat, Ares RAT, and AllaKore RAT.
According to enterprise security firm SEQRITE, the campaign is multi-platform and includes attacks aimed at infiltrating Linux computers through an Ares RAT compatible version.
Since at least 2019, SideCopy has been recognised for attacking organisations in Afghanistan and India. It is believed to be a branch of the Transparent Tribe actor group (also known as APT36).
“In order to aggressively target India, both SideCopy and APT36 share infrastructure and code,” SEQRITE researcher Sathwik Ram Prakki stated in a study on Monday.
WATCH HOW HACKERS CREATE RATS USING A SAMPLE QUASAR RAT
The gang was connected to a phishing attempt earlier in May that used lures associated with India’s Defence Research and Development Organisation (DRDO) to spread malware that stole personal information.
Subsequently, SideCopy has been linked to a series of phishing attempts aimed at the Indian defence industry, utilising ZIP archive attachments to disseminate Action RAT and a novel trojan built on.NET that can execute eighteen distinct instructions.
The two distinct attack chains used in the recent phishing attempts that SEQRITE discovered target both Windows and Linux operating systems.
The former is centred around a Golang-based ELF binary that opens the door for a Linux variant of Ares RAT that can perform various tasks, such as file enumeration, screenshot capture, file uploading, and downloading.
In contrast, the second campaign uses a security hole in the WinRAR archiving utility (CVE-2023-38831) to launch malicious code that in turn launches two new trojans, DRat and Key RAT, as well as AllaKore RAT and Ares RAT.
“[AllaKore RAT] has the functionality to steal system information, keylogging, take screenshots, upload & download files, and take the remote access of the victim machine to send commands and upload stolen data to the C2,” Ram Prakki stated.
Up to 13 commands can be parsed by DRat from the C2 server in order to obtain system information, download and run extra payloads, and carry out other file actions.
It is quite probable that India’s plan to switch from Microsoft Windows to a Linux variant known as Maya OS in the government and defence sectors is the driving force behind the targeting of Linux.
“Expanding its arsenal with zero-day vulnerability, SideCopy consistently targets Indian defence organisations with various remote access trojans,” stated Ram Prakki.
“APT36 is expanding its Linux arsenal constantly, where sharing its Linux stagers with SideCopy is observed to deploy an open-source Python RAT called Ares.”