Full Report
A threat actor with ties to Pakistan has been observed targeting various sectors in India with various remote access trojans like Xeno RAT, Spark RAT, and a previously undocumented malware family called CurlBack RAT. The activity, detected by SEQRITE in December 2024, targeted Indian entities under railway, oil and gas, and external affairs ministries, marking an expansion of the hacking crew's
Analysis Summary
# Threat Actor: Pakistan-Linked Hackers / SideCopy (Suspected Sub-cluster of Transparent Tribe/APT36)
## Attribution & Identity
* **Attribution:** Threat actor with ties to Pakistan.
* **Associated Groups:** Suspected to be a sub-cluster of **Transparent Tribe** (also known as **APT36**).
* **Aliases:** **SideCopy**. This name derives from mimicking the attack chains associated with the threat actor **SideWinder**.
## Activity Summary
The actor has been observed targeting various sectors in India, marking an expansion of their targeting footprint. Activity was detected by SEQRITE in December 2024. Previous targets included government, defense, maritime sectors, and universities. More recent activity has expanded to include the **railway, oil and gas, and external affairs ministries** in India. The group uses email-based phishing as a primary distribution vector, employing lure documents related to holiday lists or cybersecurity guidelines (e.g., those from HPCL). A notable shift in recent campaigns involves moving from using HTML Application (HTA) files to adopting **Microsoft Installer (MSI) packages** as a staging mechanism.
## Tactics, Techniques & Procedures
* **Delivery/Staging Evolution:** Transitioned from using **HTA files** to using **MSI packages** for initial staging.
* **Phishing Lures:** Utilizes email-based phishing with documents masquerading as legitimate internal communications (holiday lists, security guidelines).
* **Cross-Platform Capability:** One cluster of activity demonstrates the ability to target both **Windows and Linux systems**.
* **Payload Deployment:** Deploys various RATs and data exfiltration tools.
* **TTP Mimicry:** Historically found leveraging techniques previously observed in **SideWinder** attacks, including using RTF files hosted at URLs referenced in HTA files.
## Targeting
* **Sectors:** Railway, Oil and Gas, External Affairs Ministries, Government, Defence, Maritime sectors, and Universities.
* **Geography:** Primarily targeting entities within **India**.
* **Victims:** Indian entities across specified critical sectors.
## Tools & Infrastructure
* **Malware Families Used:**
* **CurlBack RAT:** A previously undocumented, Windows-based malware introduced in recent campaigns.
* **Spark RAT:** A cross-platform (Windows/Linux) remote access trojan.
* **Xeno RAT**
* **Action RAT** (Known SideCopy payload)
* **ReverseRAT** (Known SideCopy payload)
* **Cheex:** Used for stealing documents and images.
* **USB Copier:** Tool designed to siphon data from attached USB drives.
* **Geta RAT:** A .NET-based RAT capable of executing 30 remote commands. Geta RAT is also capable of stealing browser data (Firefox and Chromium-based profiles and cookies), a feature borrowed from AsyncRAT.
* **Infrastructure:** References to URLs hosting RTF files were observed (URLs defanged in context).
## Implications
This actor group is demonstrating continuous maturation and evolution, focusing on expanding its targeting scope within India beyond traditional defense/government targets into critical infrastructure (railway, energy). The shift to MSI packages indicates an attempt to bypass current detection mechanisms focused on older file types like HTA. The capability to target both Windows and Linux highlights a significant effort to maximize enterprise access.
## Mitigations
* Monitor for the deployment or execution via **MSI packages** and HTA delivery mechanisms.
* Implement robust detection rules for the identified malware families, particularly **CurlBack RAT, Spark RAT, Action RAT, and Geta RAT.**
* Review endpoint security configurations specific to **Windows and Linux** endpoints due to the actor's cross-platform capabilities.
* Increase scrutiny on incoming emails containing documents related to holidays or internal security updates, especially those attempting to execute secondary payloads.