A sophisticated persistent risk (APT) group that has a monitor document of focusing on India and Afghanistan has been linked to a brand new phishing marketing campaign that delivers Motion RAT.
In line with Cyble, which attributed the operation to SideCopy, the exercise cluster is designed to focus on the Defence Analysis and Improvement Group (DRDO), the analysis and improvement wing of India’s Ministry of Defence.
Recognized for emulating the an infection chains related to SideWinder to ship its personal malware, SideCopy is a risk group of Pakistani origin that shares overlaps with Transparent Tribe. It has been energetic since no less than 2019.
Assault chains mounted by the group contain utilizing spear-phishing emails to realize preliminary entry. These messages come bearing a ZIP archive file that comprises a Home windows shortcut file (.LNK) masquerading as details about the K-4 ballistic missile developed by DRDO.
Executing the .LNK file results in the retrieval of an HTML software from a distant server, which, in flip, shows a decoy presentation, whereas additionally stealthily deploying the Motion RAT backdoor.
The malware, along with gathering details about the sufferer machine, is able to working instructions despatched from a command-and-control (C2) server, together with harvesting recordsdata and dropping follow-on malware.
Additionally deployed is a brand new information-stealing malware known as AuTo Stealer that is outfitted to assemble and exfiltrate Microsoft Workplace recordsdata, PDF paperwork, database and textual content recordsdata, and pictures over HTTP or TCP.
„The APT group constantly evolves its methods whereas incorporating new instruments into its arsenal,“ Cyble famous.
This isn’t the primary time SideCopy has employed Motion RAT in its assaults directed in opposition to India. In December 2021, Malwarebytes disclosed a set of intrusions that breached a lot of ministries in Afghanistan and a shared authorities pc in India to steal delicate credentials.