It has been observed that threat actors with ties to Pakistan are targeting a variety of Indian sectors. Curl back rat.
The activity, detected by Seqrite in December 2024, targets Indian groups under the Ministry of Railways, Oil and Gas, and the Ministry of Foreign Affairs, marking an expansion of the targeting footprint of hacking crews across government, defense, maritime sectors and universities.
“One of the notable changes in recent campaigns is the transition from using HTML application (HTA) files to adopting Microsoft installer (MSI) packages as a major staging mechanism,” said security researcher Sathwik Ram Prakki.
Sidecopy is suspected to be a subcluster within the Transparent Tribe (aka APT36) that has been active since at least 2019. It was named after it mimics the attack chain associated with another threat actor called SideWinder and provides its own payload.
In June 2024, Seqrite highlighted that Sidecopy uses obfuscated HTA files, leveraging previously observed techniques in Sidewinder attacks. I also found that the file contains a reference to the URL hosting the RTF file that was identified as being used by SideWinder.
An attack that reached its peak in the Action Rat and Reversalat deployment, two known malware families due to side copying, and several other payloads including Cheex for stealing documents and images, USB copiers, sweep data from attached drives, and .NET-based GETA rats that can run 30 commands sent from remote servers.
The Rat is equipped to steal both Firefox and Chromium-based browser data for all accounts, profiles, and cookies, which are features borrowed from Asyncrat.
“The APT36 focus is primarily on Linux systems, but SideCopy targets Windows Systems and adds new payloads to its arsenal,” Seqrite said at the time.
The latest findings demonstrate the continued maturation of hacking groups, leveraging email-based phishing as a distribution vector for malware. These email messages include a variety of lure documents, ranging from the list of railway staff’s holiday, to cybersecurity guidelines issued by public sector businesses called Hindustan Petroleum Corporation Limited (HPCL).
Given its ability to target both Windows and Linux systems, a cluster of activities is particularly noteworthy, leading to the deployment of a cross-platform remote access Trojan known as Spark Rat, which allows it to gather system information, download files from the host, execute arbitration orders, expand privileges, and list user accounts.
A second cluster has been observed using decoy files as a way to start a multi-step infection process that drops a custom version of Xeno RAT that incorporates basic string manipulation methods.
“This group has shifted from using HTA files to MSI packages as the main staging mechanism, continuing advanced techniques such as DLL sideloading, reflective loading and AES decoding through PowerShell,” the company said.
“In addition, along with the newly identified deployment of Curlback Rats, we are leveraging customized open source tools such as Xeno Rat and Spark Rat. Compromised domains and fake sites are used for qualification phishing and payload hosting, highlighting the group’s ongoing ability to enhance persistence and Evard detection.”
