A spear-phishing marketing campaign concentrating on Indian federal government entities aims to deploy an current edition of a backdoor identified as ReverseRAT.
Cybersecurity business ThreatMon attributed the activity to a threat actor tracked as SideCopy.
SideCopy is a risk team of Pakistani origin that shares overlaps with a different actor identified as Clear Tribe. It is so named for mimicking the an infection chains connected with SideWinder to produce its own malware.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
The adversarial crew was to start with observed providing ReverseRAT in 2021, when Lumen’s Black Lotus Labs specific a set of attacks targeting victims aligned with the governing administration and electricity utility verticals in India and Afghanistan.
Latest attack strategies associated with SideCopy have mostly established their sights on a two-factor authentication resolution regarded as Kavach (meaning “armor” in Hindi) which is used by Indian govt officers.
The infection journey documented by ThreatMon commences with a phishing email that contains a macro-enabled Term document (“Cyber Advisory 2023.docm”).
The file masquerades as a faux advisory from India’s Ministry of Communications about “Android Threats and Preventions.” That explained, most of the information has been copied verbatim from an real notify revealed by the division in July 2020 about most effective cybersecurity methods.
Once the file is opened and macros are enabled, it triggers the execution of destructive code that potential customers to the deployment of ReverseRAT on the compromised method.
“After ReverseRAT gains persistence, it enumerates the victim’s system, collects facts, encrypts it employing RC4, and sends it to the command-and-manage (C2) server,” the firm claimed in a report posted previous week.
“It waits for commands to execute on the goal machine, and some of its features include getting screenshots, downloading and executing files, and uploading information to the C2 server.”
Identified this write-up attention-grabbing? Comply with us on Twitter and LinkedIn to study additional unique information we put up.
Some elements of this post are sourced from:
thehackernews.com
Samsung Launches Message Guard to Protect Users From Cyber-Threats