SideCopy Used Action RAT and AllaKore RAT to infiltrate Indian Organizations
The suspected Pakistani-aligned threat actor is known as SideCopy has been observed leveraging themes related to Indian military research organizations as part of an ongoing phishing campaign.
This involves using a ZIP archive feed associated with the Defense Research and Development Organization of India (DRDO) to transmit a malicious payload capable of harvesting sensitive information, Fortinet FortiGuard Labs said in a new report.
The cyber espionage group, with activity since at least 2019, targets entities aligned with the interests of the Pakistani government. It is believed to share overlap with another Pakistani hacking crew called the Transparent Tribe.
SideCopy’s use of DRDO-related bait for malware distribution was previously flagged by Cyble and a Chinese cybersecurity firm Qi AnXin in March 2023, and again on Welsh team last month.
Interestingly, the same attack chain has been observed to load and run Action RAT as well as the open source remote access trojan known as AllaKore RAT.
The latest infection sequence documented by Fortinet is no different, leading to the deployment of an unspecified type of RAT capable of communicating with remote servers and launching additional payloads.
The development is an indication that SideCopy continues to carry out spear-phishing email attacks that use social engineering decoys of Indian government and defense forces to take down various malware.
|Source: Team Wales|
Further analysis of the Action RAT (C2) command-and-control infrastructure by Team Cymru has identified outgoing connections from one of the C2 server IP addresses to another. 66.219.22(.)252geographically located in Pakistan.
The cybersecurity firm also said it observed “communications sourced from 17 different IPs assigned to Pakistani mobile providers and four Proton VPN nodes,” noting incoming connections to IP addresses from IP addresses assigned to Indian ISPs.
Learn How to Stop Ransomware with Real-Time Protection
Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.
In all, 18 different victims in India have been detected connected to C2 servers associated with Action RAT and 236 unique victims, again located in India, connected to C2 servers associated with AllaKore RAT.
The latest findings lend credence to Pakistan SideCopy links, not to mention underscore the fact that the campaign has successfully targeted Indian users.
“Action RAT’s infrastructure, connected to SideCopy, is managed by users accessing the Internet from Pakistan,” said Team Cymru. “Victim activity preceded public reporting of these campaigns, in some cases by months.”