A risk actor with ties to Pakistan has been noticed concentrating on varied sectors in India with varied distant entry trojans like Xeno RAT, Spark RAT, and a beforehand undocumented malware household known as CurlBack RAT.
The exercise, detected by SEQRITE in December 2024, focused Indian entities underneath railway, oil and fuel, and exterior affairs ministries, marking an growth of the hacking crew’s concentrating on footprint past authorities, defence, maritime sectors, and universities.
“One notable shift in current campaigns is the transition from utilizing HTML Software (HTA) recordsdata to adopting Microsoft Installer (MSI) packages as a main staging mechanism,” safety researcher Sathwik Ram Prakki mentioned.
SideCopy is suspected to be a sub-cluster inside Clear Tribe (aka APT36) that is lively since not less than 2019. It is so named for mimicking the assault chains related to one other risk actor known as SideWinder to ship its personal payloads.
In June 2024, SEQRITE highlighted SideCopy’s use of obfuscated HTA recordsdata, leveraging methods beforehand noticed in SideWinder assaults. The recordsdata had been additionally discovered to comprise references to URLs that hosted RTF recordsdata recognized as utilized by SideWinder.
The assaults culminated within the deployment of Motion RAT and ReverseRAT, two recognized malware households attributed to SideCopy, and a number of other different payloads, together with Cheex to steal paperwork and pictures, a USB copier to siphon knowledge from connected drives, and a .NET-based Geta RAT that is able to executing 30 instructions despatched from a distant server.
The RAT is supplied to steal each Firefox and Chromium-based browser knowledge of all accounts, profiles, and cookies, a characteristic borrowed from AsyncRAT.
“APT36 focus is majorly Linux programs whereas SideCopy targets Home windows programs including new payloads to its arsenal,” SEQRITE famous on the time.
The newest findings display a continued maturation of the hacking group, coming into its personal, whereas leveraging email-based phishing as a distribution vector for malware. These electronic mail messages comprise varied sorts of lure paperwork, starting from vacation lists for railway employees to cybersecurity tips issued by a public sector enterprise known as the Hindustan Petroleum Company Restricted (HPCL).
One cluster of exercise is especially noteworthy given its capability to focus on each Home windows and Linux programs, finally resulting in the deployment of a cross-platform distant entry trojan often known as Spark RAT and a brand new Home windows-based malware codenamed CurlBack RAT that may collect system info, obtain recordsdata from the host, execute arbitrary instructions, elevate privileges, and checklist person accounts.
A second cluster has been noticed utilizing the decoy recordsdata as a strategy to provoke a multi-step an infection course of that drops a customized model of Xeno RAT, which includes fundamental string manipulation strategies.
“The group has shifted from utilizing HTA recordsdata to MSI packages as a main staging mechanism and continues to make use of superior methods like DLL side-loading, reflective loading, and AES decryption through PowerShell,” the corporate mentioned.
“Moreover, they’re leveraging custom-made open-source instruments like Xeno RAT and Spark RAT, together with deploying the newly recognized CurlBack RAT. Compromised domains and pretend websites are being utilized for credential phishing and payload internet hosting, highlighting the group’s ongoing efforts to reinforce persistence and evade detection.”
