Updated Pakistani Trojan ReverseRAT targets Indian government agencies

Cybersecurity company ThreatMon discovered a spear-phishing campaign targeting government agencies in India that leads to the deployment of an updated version RAT-trojan ReverseRAT . ThreatMon experts attributed this activity to the SideCopy group.

SideCopy is a hacker group of Pakistani origin that intersects with another threat actor called Transparent Tribe . It is so named because it mimics chains of infection. side winder to deliver their own malware. SideCopy was first seen in 2021 during the rollout of ReverseRAT in attacks on governments and energy companies in India and Afghanistan.

The detected SideCopy campaign uses the Kavach two-factor authentication program, which is used by Indian civil servants. The infection chain begins with a phishing email containing a macro-enabled Word document (“Cyber ​​Advisory 2023.docm”).

The file mimics the recommendation of the Ministry of Communications of India on threats to Android devices and the response to them (“Android Threats and Prevention”). In addition, most of the content was copied from a real Ministry warning.

Once the file is opened and the macros are enabled, malicious code is executed which causes the deployment ReverseRAT on a compromised system. Once ReverseRAT obtains persistence, it enumerates the victim’s devices, collects the data, encrypts it with RC4, and sends it to the command and control server (C2, C&C). The backdoor waits for commands to be executed on the target machine, and some of its features include taking screenshots, downloading and executing files, and exfiltrating files to a C2 server.

ReverseRAT backdoor was first discovered in 2021 by Black Lotus Labs. Then the experts explained that the operators of the Trojan are targeting government and energy organizations in the regions of South and Central Asia.

As of 2020, SideWinder, with which the SideCopy group is affiliated, made a series of 1000 attacks using increasingly sophisticated cyber attack methods. In 2022, Kaspersky Lab spoke about SideWinder’s targets – the military and law enforcement agencies of Pakistan, Bangladesh and other South Asian countries. The group is believed to be affiliated with the Indian government, but LK claims the group is not affiliated with any country.