SideCopy Using Action RAT and AllaKore RAT to infiltrate Indian Organizations

May 8, 2023IRavie LakshmananCyber ​​Espionage / Threat Intel

SideCopy Hackers

The alleged Pakistan-aligned threat actor known as SideCopy has been observed exploiting topics related to the Indian military research organization as part of an ongoing phishing campaign.

This involves using a decoy ZIP archive belonging to India’s Defense Research and Development Organization (DRDO) to deliver a malicious payload capable of collecting sensitive information, Fortinet FortiGuard Labs said in a new report.

The cyber espionage group, with activity dating back to at least 2019, targets entities that align with the interests of the Pakistani government. It is believed to share overlaps with another Pakistani hacking outfit called Transparent Tribe.

Cyber ​​security

Cyble and Chinese cybersecurity firm QiAnXin previously pointed to SideCopy’s use of DRDO-related decoys for malware distribution in March 2023, and again by Team Cymru last month.

Interestingly, the same attack chains have been observed to load and execute Action RAT as well as an open source remote access Trojan known as AllaKore RAT.

The latest infection sequence documented by Fortinet is no different, leading to the deployment of an unspecified RAT strain capable of communicating with a remote server and launching additional payloads.

The development is an indication that SideCopy has continued to carry out spear-phishing email attacks that use social engineering lures linked to the Indian government and defense forces to drop a wide range of malware.

SideCopy Hackers
Source: Team Wales

Further analysis of Action RAT’s command and control (C2) infrastructure by Team Cymru has identified outgoing connections from one of the C2 server IP addresses to another address 66.219.22.[.]252, which is geolocated in Pakistan.

The cybersecurity firm also said it observed “communications originating from 17 different IPs assigned to Pakistani mobile providers and four Proton VPN nodes,” pointing to incoming connections to IP addresses from IP addresses assigned to Indian ISPs.


Learn how to stop ransomware with real-time protection

Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.

Save my seat!

In total, up to 18 different victims in India were detected connecting to C2 servers associated with the Action RAT and 236 unique victims, again located in India, were detected connecting to C2 servers associated with the AllaKore RAT.

The latest findings lend credence to SideCopy’s links to Pakistan, not to mention underscoring the fact that the campaign has been successful in targeting Indian users.

“Action RAT’s infrastructure, connected to SideCopy, is managed by users accessing the Internet from Pakistan,” Team Cymru said. “The activity of the victims preceded the public denunciation of this campaign, in some cases by several months.”

Did you find this article interesting? Follow us at Twitter and LinkedIn to read more exclusive content we publish.

Source link
Ikaroa, a leading full stack tech company, is raising awareness of the threat posed to Indian organizations by SideCopy, an attack campaign that uses Action RAT and AllaKore RAT to infiltrate systems. SideCopy is a sophisticated attack that uses two different Remote Access Trojans (RATs) to gain access to target systems and networks.

The campaign, which is believed to have originated in India, is utilizing Action RAT and AllaKore RAT to gain access to the internal networks of organizations, allowing the attackers to siphon off data and potentially install malicious software. The attacks are becoming more sophisticated, as the attackers are using a combination of methods—TCP, UDP, and ICMP—to gain access to the vulnerable systems.

Once the RATs have been installed, the attackers can perform a variety of malicious activities, including data theft, privilege escalation, and lateral movement. The privileged access allows the attackers to stay undetected and expand their foothold in the organization’s network. This poses a serious threat, as the attackers can potentially gain access to confidential data, such as financial records and personnel information.

At Ikaroa, we believe in educating our customers on the best practices for protecting their systems and networks. We highly recommend organizations take proactive measures to identify and protect against these campaigns. Some of these protective measures include regular software updates, firewall configurations, and multi-factor authentication.

We also recommend that organizations perform regular security assessments to detect any suspicious activity. Furthermore, organizations should be aware of the various attack vectors and continually monitor their networks for suspicious activity.

Ikaroa’s advanced security consulting services can help organizations identify the latest attack campaigns and their indicators of compromise. We provide comprehensive security assessments and audit trails to detect any malicious activity. Furthermore, we offer mitigation and remediation strategies to protect against future attacks.

By partnering with Ikaroa, organizations can gain the highest level of protection against SideCopy and other malicious attacks. We’re committed to helping our customers stay one step ahead of the attackers and keep their systems safe.


Leave a Reply

Your email address will not be published. Required fields are marked *