September 22, 2023

A spear-phishing campaign uses an upgraded version of ReverseRAT backdoor targeting Indian government entities. This attack was attributed to a threat actor called SideCopy.

The infection chains associated with SideWinder to deliver its own malware, SideCopy is a threat group of Pakistani origin with overlaps with Transparent Tribe that is operational since at least 2019 and seems to focus on targets of value in cyberespionage.

In SideCopy attacks, threat actors have targeted Indian government officials’ use of a two-factor authentication solution called Kavach. The infection begins with a phishing email containing a macro-enabled Word document (“Cyber Advisory 2023.docm”).

The file is a fake advisory from India’s Ministry of Communications about Android threats and preventions; Most of the content has been copied word by word from a departmental alert published in July 2020.

Once the file is opened and macros are enabled, malicious code is executed, which results in the deployment of ReverseRAT.

It then waits for commands to execute on the target machine, and some of its functions include taking screenshots, downloading and executing files, and uploading files to the C2 server.

The previous attacks targeted government and power utility victims. India was the most affected country, followed by Afghanistan.

Leave a Reply

%d bloggers like this: