Full Report
Analysis of the TAG-140 cyber espionage campaign targeting Indian government organizations, focusing on the development and deployment of the modified DRAT V2 remote access trojan.
Analysis Summary
# Threat Actor: TAG-140
## Attribution & Identity
* **Primary Identification:** TAG-140.
* **Attribution Confidence:** Moderate confidence based on domain overlap, malware lineage, and infrastructure characteristics.
* **Associated Groups:** Overlaps with Sidecopy; assessed to be a sub-cluster or operational affiliate of Transparent Tribe (also tracked as APT36, ProjectM, or MYTHIC LEOPARD).
* **Origin Assessment:** Suspected Pakistani state-aligned APT group.
## Activity Summary
* **Recent Campaign:** A "ClickFix-style" social engineering campaign targeting Indian government organizations, specifically spoofing the Indian Ministry of Defence via a cloned press release portal.
* **Historical Activity:** Active since at least 2019, consistently demonstrating iterative advancement in malware and delivery, utilizing spearphishing, HTAs, and MSI packages.
* **Malware Evolution:** Deployment of a modified RAT dubbed **DRAT V2** (a Delphi-compiled variant), transitioning from a previous .NET-based version.
## Tactics, Techniques & Procedures
- **Initial Access:** ClickFix-style social engineering lures used to entice victims into executing a malicious script via `mshta.exe`.
- **Loader:** Deployment of the **BroaderAspect** .NET loader for establishing persistence and subsequently installing/executing DRAT V2.
- **Malware Rotation:** Consistent pattern of rotating through various RATs including CurlBack, SparkRAT, AresRAT, Xeno RAT, AllaKore, ReverseRAT, and DRAT (V1 and V2).
- **C2 Protocol:** DRAT V2 utilizes an updated custom TCP-based, server-initiated C2 protocol supporting ASCII and Unicode command input.
- **Obfuscation:** C2 IP addresses are obfuscated using Base64 encoding with prepended strings. Command headers are notably in plaintext in DRAT V2, prioritizing parsing reliability.
- **Post-Exploitation (DRAT V2):**
- Arbitrary shell command execution (`exec_this_comm`).
- Enhanced file system interaction commands: file size retrieval (`filina_for_down`), file upload (`fil_upl~`), file execution (`this_filina_exec`), and file download/exfiltration (`fil_down_confirmina`).
- **Anti-Analysis:** DRAT V2 lacks advanced anti-analysis techniques, relying on basic infection and persistence.
## Targeting
* **Sectors:** Initially focused on government, defense, maritime, and academic sectors; recently expanded to include railway, oil and gas, and external affairs ministries within India.
* **Geography:** Primarily targets Indian entities.
* **Victims:** Organizations affiliated with the Indian Ministry of Defence (recent campaign).
## Tools & Infrastructure
* **Malware Families Used:** DRAT V2 (Delphi-compiled RAT), DRAT V1 (.NET RAT), CurlBack, SparkRAT, AresRAT, Xeno RAT, AllaKore, ReverseRAT, BroaderAspect (.NET loader).
* **Infrastructure:**
- Malicious domain used for spoofing: `email[.]gov[.]in[.]drdosurvey[.]info` (closely resembling legitimate `mod[.]gov[.]in`).
## Implications
TAG-140 continues to show iterative advancement, particularly with the introduction of DRAT V2. The enhancements to its remote access tooling suggest a likely increase in their capacity for tailored post-exploitation and lateral movement across compromised victim networks, indicating maturing tradecraft in targeting critical Indian governmental sectors.
## Mitigations
- Employ robust email and web filtering to detect social engineering lures (e.g., ClickFix style).
- Implement endpoint detection and response (EDR) capable of behavioral analysis to detect the execution chain initiated by `mshta.exe` leading to BroaderAspect and subsequent RAT installation.
- Monitor for known indicators related to the group's malware rotation, particularly the use of custom TCP C2 protocols.
- Security teams should be vigilant against realistic website spoofing, especially concerning Ministry/Government communication portals.