HQ/EMEAFind out how we can help your business
Indian government agencies are advised to remain vigilant following a recently discovered spear-phishing threat campaign that targets them. Researchers have identified the malware being propagated in this campaign, called the ‘ReverseRAT.’
In this malicious campaign, the threat group attributed to it is the ‘SideCopy’ APT, which involves Pakistani attackers that share the same tactics, techniques, and procedures (TTPs) as the Transparent Tribe group.
Additionally, the ReverseRAT operators were observed copying the infection chains of the SideWinder group, which they use in spreading the malware against targets.
Government entities and power utility firms in India and Afghanistan were the prime targets of the ReverseRAT.
Based on studies, the ReverseRAT malware was first spotted in 2021, infecting victims from India and Afghanistan, especially the countries’ government agencies and power utility companies.
Meanwhile, this most recent campaign of the SideCopy group revolved around them sending phishing emails to targets, attaching a malicious Word doc named ‘Cyber Advisory 2023[.]docm.’
Per the email’s content, it tricks the receivers into believing that the file is an advisory from the Indian Ministry of Communications that would tackle cybersecurity threats and preventions on Android OS. From assessing the malicious file, it contained an authentic alert published by the Indian Ministry of Communications in July 2020, discussing the best cybersecurity practices that could help people evade the most common cybercriminal threats.
However, this document is only a façade to the real goal of the threat actors, which is to deploy the ReverseRAT malware on the victim’s computer. Macros will be enabled upon the victim opening the malicious attachment, triggering a malicious code execution to launch the malware.
After gaining persistence in a machine, the malware will begin enumerating the device, collecting critical data, encrypting files via RC4, and sending the stolen files to the threat operators’ remote C2 server. Aside from the main capabilities, the malware could also take screenshots of the compromised computer’s screen.
These activities performed by the malware are all commands sent by the attackers from their remote server.
Since spear-phishing operators are notorious for being equipped with advance TTPs, organisations and individuals are advised to stay cautious on attack attempts and avoid opening files from unknown senders. Also, people must closely check the email address of the entity sending them unexpected emails and learn to recognise whether they are spoofing legitimate entities.
