A group known for targeting India and Afghanistan through advanced persistent threats (APTs) has been identified as the culprits behind a new phishing scheme that distributes Action RAT malware.
Cyble has stated that SideCopy is behind a cluster of activities aimed at the Defence Research and Development Organization (DRDO), which happens to be the research and development wing of India's Ministry of Defence.
A group originating from Pakistan, called SideCopy, is infamous for replicating the infection chains used by SideWinder to circulate their own malicious software. This group bears similarities with Transparent Tribe and has been operating since at least the year 2019.
The group's attacks are executed through a series of steps. They start by sending deceptive emails designed to look like legitimate requests using the technique called 'spear-phishing'. These emails contain a compressed file in ZIP format which appears to be related to information about DRDO's K-4 ballistic missile. However, in reality, it is a Windows shortcut file (.LNK).
When the .LNK file is activated, it fetches an HTML application from a distant server. This application then presents a fake presentation to deceive the user while simultaneously and surreptitiously installing the Action RAT backdoor.
The malicious software can perform various functions on the targeted computer, including acquiring data and executing directives from a remote command-and-control server. These commands may involve collecting files or introducing additional malware to the system.
An additional malware called AuTo Stealer has been put into action, which is designed to collect and transfer various types of data, including Microsoft Office files, PDF documents, databases, text files, and images using either HTTP or TCP. The gathered information can be used for nefarious purposes.
According to Cyble, the APT group is constantly updating their methods and adding new tools to their collection.
SideCopy has previously utilized Action RAT to conduct attacks against India, which is not a new occurrence. In December of 2021, Malwarebytes made public a series of intrusions that compromised various ministries in Afghanistan and a shared government computer in India in order to obtain valuable credentials.
The most recent discoveries come a month after the hostile group was observed using a Remote Access Trojan called ReverseRAT to target Indian government organizations.