September 22, 2023

A spear-phishing campaign uses an upgraded version of ReverseRAT backdoor targeting Indian government entities. This attack was attributed to a threat actor called SideCopy.

The infection chains associated with SideWinder to deliver its own malware, SideCopy is a threat group of Pakistani origin with overlaps with Transparent Tribe that is operational since at least 2019 and seems to focus on targets of value in cyberespionage.

In SideCopy attacks, threat actors have targeted Indian government officials’ use of a two-factor authentication solution called Kavach. The infection begins with a phishing email containing a macro-enabled Word document (“Cyber Advisory 2023.docm”).

The file is a fake advisory from India’s Ministry of Communications about Android threats and preventions; Most of the content has been copied word by word from a departmental alert published in July 2020.

Once the file is opened and macros are enabled, malicious code is executed, which results in the deployment of ReverseRAT.

It then waits for commands to execute on the target machine, and some of its functions include taking screenshots, downloading and executing files, and uploading files to the C2 server.

The previous attacks targeted government and power utility victims. India was the most affected country, followed by Afghanistan.

Tags:

Leave a Reply

You may have missed

T-Mobile and Data Breach tightly coupled

September 21, 2023

Cisco Acquires Splunk in a blockbuster deal

September 21, 2023

Atlassian BitBucket and Confluence Vulnerabilities

September 21, 2023

Snatch ransomware Dissection

September 21, 2023

Fortinet Fixes Vulnerabilities in FortiOS

September 20, 2023

Trend Micro Endpoint Vulnerability – CVE-2023-41179

September 20, 2023
%d bloggers like this: