A spear-phishing campaign targeting Indian government entities aims to deploy an updated version of a backdoor called ReverseRAT.
Cybersecurity firm ThreatMon attributed the activity to a threat actor tracked as SideCopy.
SideCopy is a threat group of Pakistani origin that shares overlaps with another actor called Transparent Tribe. It is so named for mimicking the infection chains associated with SideWinder to deliver its own malware.
The adversarial crew was first observed delivering ReverseRAT in 2021, when Lumen's Black Lotus Labs detailed a set of attacks targeting victims aligned with the government and power utility verticals in India and Afghanistan.
Recent attack campaigns associated with SideCopy have primarily set their sights on a two-factor authentication solution known as Kavach (meaning "armor" in Hindi) that's used by Indian government officials.
The infection journey documented by ThreatMon commences with a phishing email containing a macro-enabled Word document ("Cyber Advisory 2023.docm").
The file masquerades as a fake advisory from India's Ministry of Communications about "Android Threats and Preventions." That said, most of the content has been copied verbatim from an actual alert published by the department in July 2020 about best cybersecurity practices.
Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.RESERVE YOUR SEAT
Once the file is opened and macros are enabled, it triggers the execution of malicious code that leads to the deployment of ReverseRAT on the compromised system.
"Once ReverseRAT gains persistence, it enumerates the victim's device, collects data, encrypts it using RC4, and sends it to the command-and-control (C2) server," the company said in a report published last week.
"It waits for commands to execute on the target machine, and some of its functions include taking screenshots, downloading and executing files, and uploading files to the C2 server."