March 27, 2023

A spear-phishing campaign uses an upgraded version of ReverseRAT backdoor targeting Indian government entities. This attack was attributed to a threat actor called SideCopy.

The infection chains associated with SideWinder to deliver its own malware, SideCopy is a threat group of Pakistani origin with overlaps with Transparent Tribe that is operational since at least 2019 and seems to focus on targets of value in cyberespionage.

In SideCopy attacks, threat actors have targeted Indian government officials’ use of a two-factor authentication solution called Kavach. The infection begins with a phishing email containing a macro-enabled Word document (“Cyber Advisory 2023.docm”).

The file is a fake advisory from India’s Ministry of Communications about Android threats and preventions; Most of the content has been copied word by word from a departmental alert published in July 2020.

Once the file is opened and macros are enabled, malicious code is executed, which results in the deployment of ReverseRAT.

It then waits for commands to execute on the target machine, and some of its functions include taking screenshots, downloading and executing files, and uploading files to the C2 server.

The previous attacks targeted government and power utility victims. India was the most affected country, followed by Afghanistan.

Tags:

Leave a Reply

You may have missed

Okta Credentials Exposed via Post Exploitation Attack

Okta Credentials Exposed via Post Exploitation Attack

March 27, 2023
Dark Power Ransomware Dissection

Dark Power Ransomware Dissection

March 26, 2023
CatB Ransomware Dissection

CatB Ransomware Dissection

March 26, 2023
Microsoft Patches Acropalypse Vulnerability

Microsoft Patches Acropalypse Vulnerability

March 26, 2023
TheCyberThrone Security Week In Review – March 25th, 2023

TheCyberThrone Security Week In Review – March 25th, 2023

March 26, 2023
ChatGPT for Google- Harvest Facebook Accounts

ChatGPT for Google- Harvest Facebook Accounts

March 26, 2023
%d bloggers like this: