November 7, 2023 at 04:42AM
The Pakistan-linked threat actor called SideCopy has been using a recent WinRAR security vulnerability to target Indian government entities. They are delivering remote access trojans such as AllaKore RAT, Ares RAT, and DRat. This campaign is multi-platform, targeting both Windows and Linux systems. SideCopy is suspected to be a sub-group of Transparent Tribe (APT36).
Key takeaways from the meeting notes:
– SideCopy, a threat actor linked to Pakistan, has been leveraging the WinRAR security vulnerability to carry out attacks on Indian government entities.
– The campaign is multi-platform, targeting both Windows and Linux systems. SideCopy has been observed using remote access trojans such as AllaKore RAT, Ares RAT, and DRat.
– SideCopy is suspected to be a sub-group of the Transparent Tribe (APT36) and shares infrastructure and code with them.
– SideCopy has been involved in previous phishing campaigns targeting the Indian defense sector, using lures related to India’s Defense Research and Development Organization (DRDO) to deliver information-stealing malware.
– Two new trojans called DRat and Key RAT have been implicated in phishing attacks targeting the Indian defense sector, along with AllaKore RAT and Ares RAT.
– The targeting of Linux systems by SideCopy may be motivated by India’s decision to replace Microsoft Windows with a Linux flavor called Maya OS in government and defense sectors.
– SideCopy is expanding its Linux arsenal, sharing Linux stagers with APT36 and deploying an open-source Python RAT called Ares.
These takeaways highlight the activities and tactics of SideCopy, their use of different trojans, and their focus on targeting Indian government and defense organizations. The meeting notes provide important information for assessing and improving security measures.