The file made mention of a nuclear missile that was in development as well as a state-run military research institute in India. The organization has matched its targeting with the government of Pakistan’s aims and objectives.
Getting into specifics
The first attack route is thought to be a phishing email with the “DRDO-K4-Missile-Clean-room[.]zip” Zip file, which contains three files, two of which are intended to be deployed in a subfolder of the extraction site.
Security companies warned about SideCopy’s usage of DRDO-related decoys for malware spread in March and April. Both Action RAT and AllaKore RAT are loaded and run by the assault chains, according to observations.
The most recent report from Fortinet demonstrates a comparable infection chain that results in the deployment of an unidentified RAT that talks with a remote server and releases further payloads. This demonstrates that SideCopy continues to spread malware through spear-phishing emails impersonating the Indian government and military forces.
The Company’s Tools
It enables the direct execution of Microsoft. Net code without the need for PowerShell as an intermediary step, in contrast to CACTUSTORCH. It is unknown if the tool was used by the backend in charge of providing the file or any of its later phases, even though the payload was created using it.
The most recent revelations demonstrate SideCopy’s connection to Pakistan and highlight its successful targeting of Indian customers. People using internet connections from Pakistan are in charge of managing the infrastructure for Action RAT’s connection to SideCopy. Victim action was seen to have occurred months before the campaign’s public revelation.