Pakistan-based APT group SideCopy has been targeting the Indian government and defence entities over the past few months. These campaigns have escalated in scope, with the threat group now taking advantage of a WinRAR vulnerability known as CVE-2023-38831 for deploying various malicious payloads, including the AllaKore RAT, DRAT, and other malware.
Additionally, they have introduced a Linux variant of an open-source agent called Ares RAT, which exhibits code similarities with Transparent Tribe (APT36), another threat group that has persistently targeted Indian military and university students.
Cybersecurity researchers from Seqrite exposed two recent campaigns SideCopy ran against the Indian defence establishment. The attackers have been resuing compromised domains to host their payloads, which consistently resolve to the same IP address.
The modus operandi of these threat actors involves creating honeypots to lure defence personnel, enabling them to steal confidential information in acts of cyber espionage.
The first campaign observed by the security researchers distributed malware through a phishing link. When the victim clicks on the phishing link, an archive file named “Homosexuality – Indian Armed Forces” is downloaded. This document is a decoy and relates to NSRO and goes by names like “ACR.pdf” or “ACR_ICR_ECR_Form_for_Endorsement_New_Policy.pdf.”
Notably, the same decoy PDF is employed by the Linux variant of Ares RAT. Both campaigns utilise compromised domains that resolve to the same IP address, indicating a reuse of these compromised resources.
For the Windows platform, the phishing URL directs to “sunfireglobal[.]in”, a malicious domain. It includes a malicious shortcut file with a double extension format that activates a remote HTA file. This file serves as an initial stage for launching further attacks.
The Linux variant of the campaign uses a similar approach involving an ELF file and a domain called “occoman[.]com.”
After analysing the extracted contents of the final PyInstaller payload, the researchers found that this campaign deploys an open-source Ares RAT with distinct commands for command-and-control (C2) communication.
The second campaign mirrors the previous campaign by leveraging the WinRAR vulnerability CVE-2023-38831. This campaign involves phishing attacks that download archive files containing a PDF file and a folder of the same name.
This time, the decoy PDF is related to “All India Association of Non-Gazetted Officers”, a government-recognised organisation. The payload found inside this file is the AllaKore RAT. This trojan can steal system information, perform keylogging, take screenshots, download and upload files on the victim’s device and perform other functions as commanded by C2.
These attacks suggest that APT36 is expanding its operations and is sharing the arsenal with other groups like SideCopy. Researchers warn that the attacks on Indiandefense establishments will continue to rise, given the tension in the Middle East.
India and Pakistan have always been at loggerheads, not only militarily but also on the cyberspace front. In June, it was reported that DoNotTeam, a hacker group based in India, is targeting users in Pakistan. In April, security researchers revealed that Transparent Tribe is attempting to deliver a backdoor malware, Posiedon, on an Indian government entity.