Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.
Latest posts by Esme Greene (see all)
- Hackers Seized 250 Million Rupees in India in a Sophisticated Cyber Robbery - August 18, 2023
- Lapsesus$ Teen Who Put the Changed Cybersecurity Industry Faced Trial - August 17, 2023
- Notification in the VSCode Developer Community – Malicious Extensions Compromise the Platform’s Security - August 17, 2023
The file made mention of a nuclear missile that was in development as well as a state-run military research institute in India. The organization has matched its targeting with the government of Pakistan’s aims and objectives.
Getting into specifics
The first attack route is thought to be a phishing email with the “DRDO-K4-Missile-Clean-room[.]zip” Zip file, which contains three files, two of which are intended to be deployed in a subfolder of the extraction site.
Security companies warned about SideCopy’s usage of DRDO-related decoys for malware spread in March and April. Both Action RAT and AllaKore RAT are loaded and run by the assault chains, according to observations.
18 possible victims in India have been connected to C2 networks related to Action RAT, while 236 different potential victims in India have been connected to C2 servers linked to AllaKore RAT.
The Research
The most recent report from Fortinet demonstrates a comparable infection chain that results in the deployment of an unidentified RAT that talks with a remote server and releases further payloads. This demonstrates that SideCopy continues to spread malware through spear-phishing emails impersonating the Indian government and military forces.
The Company’s Tools
SideCopy’s latest operation seems to have used SILENTTRINITY, a more modern and complete tool that serves as a full-featured post-exploitation framework comparable to Empire or Cobalt Strike, rather than CACTUSTORCH to distribute malware obfuscated through JavaScript and VBScript.
It enables the direct execution of Microsoft. Net code without the need for PowerShell as an intermediary step, in contrast to CACTUSTORCH. It is unknown if the tool was used by the backend in charge of providing the file or any of its later phases, even though the payload was created using it.
Recent Versions
The most recent revelations demonstrate SideCopy’s connection to Pakistan and highlight its successful targeting of Indian customers. People using internet connections from Pakistan are in charge of managing the infrastructure for Action RAT’s connection to SideCopy. Victim action was seen to have occurred months before the campaign’s public revelation.