Analysis
Attacks and Vulnerabilities
Critical infrastructure
Malware, Phishing & Ransomware
News
Threat Landscape
Vulnerabilities

SideCopy APT group uses ReverseRAT backdoor to target Indian government agencies, ThreatMon reports

February 21, 2023
SideCopy APT group uses ReverseRAT backdoor to target Indian government agencies, ThreatMon reports

ThreatMon researchers provided details of SideCopy, a Pakistani threat group, having targeted Indian government entities using a spear-phishing email containing a macro-enabled Word document. The malware used is a new version of ReverseRAT, which has enhanced obfuscation and sleep calls to avoid detection. 

“Once ReverseRAT gains persistence, it enumerates the victim’s device, collects data, encrypts it using RC4, and sends it to the Command and Control (C2) server,” ThreatMon said in its report. “It waits for commands to execute on the target machine, and some of its functions include taking screenshots, downloading and executing files, and uploading files to the C2 server.”

The researchers disclosed that SideCopy is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel. SideCopy’s name comes from its infection chain that tries to mimic that of Sidewinder, a suspected Indian threat group active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.

The SideCopy APT (advanced persistent threat) group has been operating since at least 2019, mainly targeting South Asian countries and more specifically India and Afghanistan. Its name comes from its infection chain that tries to mimic that of the SideWinder APT. It has been reported that this actor has similarities with Transparent Tribe (APT36) and possibly is a subdivision of this actor. Cisco Talos and Seqrite have provided comprehensive reports on this actor’s activities. The lures used by SideCopy APT are usually archive files that have embedded one of these files: Lnk, Microsoft Publisher, or trojanized applications.

The initial access vector in this attack is a spear-phishing email sent by the APT group SideCopy to Indian government entities, the ThreatMon report said. “The email contains an attached file named ‘Cyber Advisory 2023[dot]docm,’ which is a macro-enabled Word document. If the recipient opens the file and enables the macros, it will trigger the execution of malicious code, allowing the APT group to gain initial access,” it added.

The document underscores the significance of protecting internet-connected systems, in particular smartphones, across both corporate and user levels while highlighting the increased sophistication, frequency, and gravity of cyberattacks. It also includes typical strategies employed by cyber threat actors to infiltrate smartphones, including the deployment of shady apps and the exploitation of mobile application vulnerabilities, and it offers best practices for organizational security.

The ThreatMon researchers said that “when we look at the old versions of ReverseRAT, Sleep calls, and string obfuscation do not seem that much. This one is never seen before in the wild so we named it ReverseRAT 3.0. Now it does a lot of things to stay undetected anymore.”

Beginning with the main method, “we see lots of Sleepcalls and lots of obfuscation to strings. It tries to be not detected with long sleeps, then sets up the C2 IP’s string. Then it enumerates the victim device, takes the data, and sends it to the C2 server after encrypting it using RC4.”

Some of the data collected included computer name, internal IP, external IP, physical memory, operating system, processor, and webcam. “Then it began to wait for the commands that will come from the C2 Server. It has some pre-built functions that show us the functionality,” the ThreatMon report added.

The use of spear-phishing to target businesses is a developing trend that has persisted. Last month, the U.K.’s National Cyber Security Centre (NCSC) said that Russia-based SEABORGIUM and Iran-based TA453 hacker groups continue to use spear-phishing attacks against targeted organizations and individuals in the U.K., and other areas of interest, primarily for information gathering activity. 

“Throughout 2022, SEABORGIUM and TA453 targeted sectors included academia, defence, governmental organisations, NGOs, think-tanks, as well as politicians, journalists, and activists,” the NCSC alert said. “Although there is similarity in the TTPs and targeting profiles, these campaigns are separate and the two groups are not collaborating.”

Last April, threat intelligence firm Recorded Future said that it has observed in recent months likely network intrusions targeting at least seven Indian State Load Despatch Centres (SLDCs) responsible for carrying out real-time operations for grid control and electricity dispatch within these respective states.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation