A risk actor with ties to Pakistan has been noticed concentrating on numerous sectors in India with numerous distant entry trojans like Xeno RAT, Spark RAT, and a beforehand undocumented malware household known as CurlBack RAT.
The exercise, detected by SEQRITE in December 2024, focused Indian entities below railway, oil and gasoline, and exterior affairs ministries, marking an growth of the hacking crew’s concentrating on footprint past authorities, defence, maritime sectors, and universities.
“One notable shift in current campaigns is the transition from utilizing HTML Software (HTA) recordsdata to adopting Microsoft Installer (MSI) packages as a major staging mechanism,” safety researcher Sathwik Ram Prakki mentioned.
SideCopy is suspected to be a sub-cluster inside Clear Tribe (aka APT36) that is energetic since at the very least 2019. It is so named for mimicking the assault chains related to one other risk actor known as SideWinder to ship its personal payloads.
In June 2024, SEQRITE highlighted SideCopy’s use of obfuscated HTA recordsdata, leveraging strategies beforehand noticed in SideWinder assaults. The recordsdata have been additionally discovered to comprise references to URLs that hosted RTF recordsdata recognized as utilized by SideWinder.
The assaults culminated within the deployment of Motion RAT and ReverseRAT, two recognized malware households attributed to SideCopy, and a number of other different payloads, together with Cheex to steal paperwork and pictures, a USB copier to siphon knowledge from connected drives, and a .NET-based Geta RAT that is able to executing 30 instructions despatched from a distant server.
The RAT is provided to steal each Firefox and Chromium-based browser knowledge of all accounts, profiles, and cookies, a characteristic borrowed from AsyncRAT.
“APT36 focus is majorly Linux techniques whereas SideCopy targets Home windows techniques including new payloads to its arsenal,” SEQRITE famous on the time.
The most recent findings reveal a continued maturation of the hacking group, coming into its personal, whereas leveraging email-based phishing as a distribution vector for malware. These electronic mail messages comprise numerous sorts of lure paperwork, starting from vacation lists for railway workers to cybersecurity pointers issued by a public sector endeavor known as the Hindustan Petroleum Company Restricted (HPCL).
One cluster of exercise is especially noteworthy given its capacity to focus on each Home windows and Linux techniques, finally resulting in the deployment of a cross-platform distant entry trojan referred to as Spark RAT and a brand new Home windows-based malware codenamed CurlBack RAT that may collect system info, obtain recordsdata from the host, execute arbitrary instructions, elevate privileges, and checklist consumer accounts.
A second cluster has been noticed utilizing the decoy recordsdata as a strategy to provoke a multi-step an infection course of that drops a customized model of Xeno RAT, which contains fundamental string manipulation strategies.
“The group has shifted from utilizing HTA recordsdata to MSI packages as a major staging mechanism and continues to make use of superior strategies like DLL side-loading, reflective loading, and AES decryption through PowerShell,” the corporate mentioned.
“Moreover, they’re leveraging personalized open-source instruments like Xeno RAT and Spark RAT, together with deploying the newly recognized CurlBack RAT. Compromised domains and pretend websites are being utilized for credential phishing and payload internet hosting, highlighting the group’s ongoing efforts to reinforce persistence and evade detection.”
