Attacks involving various remote access trojans have been deployed by Pakistan-linked threat operation SideCopy a suspected sub-cluster of the state-backed hacking crew Transparent Tribe, also known as APT36 against Indian oil and gas and railway organizations, as well as external affairs ministries, since the end of December, The Hacker News reports.
Malicious emails with different lure files, including cybersecurity guidance purportedly from the Hindustan Petroleum Corporation Limited, have been leveraged by SideCopy to facilitate a pair of attack clusters, the first of which seeks to compromise Windows and Linux systems with Spark RAT and the novel Windows-based CurlBack RAT payloads, according to an analysis from SEQRITE. Aside from enabling system data exfiltration, CurlBack RAT also allows file downloads, arbitrary command execution, privilege escalation, and user account listing. Another cluster of the attack involved the use of decoy files to deploy a custom Xeno RAT variant, said researchers, who also noted SideCopy's transition to MSI packages for primary staging. "Compromised domains and fake sites are being utilized for credential phishing and payload hosting, highlighting the group's ongoing efforts to enhance persistence and evade detection," researchers added.
Malicious emails with different lure files, including cybersecurity guidance purportedly from the Hindustan Petroleum Corporation Limited, have been leveraged by SideCopy to facilitate a pair of attack clusters, the first of which seeks to compromise Windows and Linux systems with Spark RAT and the novel Windows-based CurlBack RAT payloads, according to an analysis from SEQRITE. Aside from enabling system data exfiltration, CurlBack RAT also allows file downloads, arbitrary command execution, privilege escalation, and user account listing. Another cluster of the attack involved the use of decoy files to deploy a custom Xeno RAT variant, said researchers, who also noted SideCopy's transition to MSI packages for primary staging. "Compromised domains and fake sites are being utilized for credential phishing and payload hosting, highlighting the group's ongoing efforts to enhance persistence and evade detection," researchers added.
