Researchers Warn of ReverseRAT Backdoor Targeting Indian Government Agencies

india

A spear-phishing campaign targeting Indian government entities aims to deploy an updated version of a backdoor called ReverseRAT.

Cybersecurity firm ThreatMon attributed the activity to a threat actor tracked as SideCopy.

SideCopy is a threat group of Pakistani origin that shares overlaps with another actor called Transparent Tribe. It is so named for mimicking the infection chains associated with SideWinder to deliver its own malware.

The adversarial crew was first observed delivering ReverseRAT in 2021, when Lumen’s Black Lotus Labs detailed a set of attacks targeting victims aligned with the government and power utility verticals in India and Afghanistan.

Recent attack campaigns associated with SideCopy have primarily set their sights on a two-factor authentication solution known as Kavach (meaning “armor” in Hindi) that’s used by Indian government officials.

a

The infection journey documented by ThreatMon commences with a phishing email containing a macro-enabled Word document (“Cyber Advisory 2023.docm”).

The file masquerades as a fake advisory from India’s Ministry of Communications about “Android Threats and Preventions.” That said, most of the content has been copied verbatim from an actual alert published by the department in July 2020 about best cybersecurity practices.

Once the file is opened and macros are enabled, it triggers the execution of malicious code that leads to the deployment of ReverseRAT on the compromised system.

“Once ReverseRAT gains persistence, it enumerates the victim’s device, collects data, encrypts it using RC4, and sends it to the command-and-control (C2) server,” the company said in a report published last week.

“It waits for commands to execute on the target machine, and some of its functions include taking screenshots, downloading and executing files, and uploading files to the C2 server.”



Original Source


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon using the button below

Digital Patreon Wordmark FieryCoralv2

To keep up to date follow us on the below channels.

join
Click Above for Telegram
discord
Click Above for Discord
reddit
Click Above for Reddit
hd linkedin
Click Above For LinkedIn