Sunday, October 17, 2021

Suspected Pakistani hackers targeting the Indian Power company with ReverseRat

Must Read

A Few ransomware gangs are Using New Technique To Get high ransom amount

Ransomware gangs are prioritizing stealing data from workstations used by Top executives of the Company/business in the hopes of...

Google Project Zero giving The 30-day grace period for user patch adoption

Google Project Zero will be shifting from a fairly hard 90-day deadline to a new model that incorporates a...

UAE views Israel as a Tactical cybersecurity partner, says head of the national cyber authority

"We would like to know from Israel. You've built an extremely successful ecosystem that comprises the invention of technologies,...

According to a new study, a threat actor suspected of having links with Pakistan is targeting the government and the energy companies in the South and in the Central Asian region, to deploy the remote-access Trojan on the infected Windows operating systems.

“That’s why most of the organizations are showing signs of compromise were in India, and a very small number of them were in Afghanistan, and” Lumen, Black Lotus Labs said on Tuesday In a blogpost.

Some of the victims include a foreign government organization, a power transmission organization, and a power generation organization. The secret operation was said to have been started in at least January 2021. 

The intrusions are notable for several reasons, not least because in addition to its highly-targeted nature, the tactics, techniques, and procedures (TTPs) adopted by the adversary rely on repurposed open-source code and the use of compromised domains in the same country as the targeted entity to host their malicious files.

At the same time, the group has been carefully hidden in their activity by changing the registry keys and gives them the ability to maintain persistence on the device. 

The interpretation of the multi-stage supply chain of infection, Lumen, noted that the campaign that resulted in the victim sending of the two agents, one in memory, while the second one was side-loaded, granting threat actor persistence on the infected workstations.”

The attack begins with a malicious link sent via phishing e-mail messages or emails when clicked, It will download in a ZIP file containing a Microsoft shortcut file (.lnk) and a decoy PDF file from a compromised domain.

With the shortcut of a file, in addition to the description of the document is favorable to something, the receiver also takes care of stealthily fetching and running an HTA (HTML application) file from the same compromised website.

The lure documents largely describe events catering to India, disguising as a user manual for registering and booking an appointment for COVID-19 vaccine through the Cowin online portal, while a few others masquerade as the Bombay Sappers, a regiment of the Corps of Engineers of the Indian Army.

Regardless of the document that is displayed by the victims of the HTA file, which in itself is a JavaScript code, based on a GitHub project called CactusTorch to be used for the implementation of the 32-bit shellcode for a process that is carried out to finally install it .NET back-door is called Reverse Rat, which is a typical spy agent, with the ability to capture screenshots, to complete the implementation of the processes of all of the executable files, perform file operations, and then upload the data to a remote server.

The custom-developed framework also comes with a third component in which a second HTA file is downloaded from the same domain to deploy the open-source AllaKore remote agent, potentially in an alternative attempt to maintain access to the compromised network.

“While this threat actor’s targets have thus far remained within the South and Central Asian regions, they have proven effective at gaining access to networks of interest,” the researchers said. “Despite previously relying upon open-source frameworks such as AllaKore, the actor was able to remain effective and expand its capabilities with the development of the Svchostt agent and other components of the Reverse Rat project.”

Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

Leave a reply

Please enter your comment!
Please enter your name here

Latest News

Unified endpoint management automation software to boost endpoint security

Endpoints are constantly connected to the internet, so they offer a gateway for cyberattacks. Endpoint security is simply the process...

Attackers Using Morse Code in phishing campaign to Evade Detection

Microsoft on Thursday revealed the techniques used by attackers to avoid detection using morse code in the phishing campaign.Microsoft also revealed the workings of...

Murata Manufacturing suffers data breach of employees and customer

Japanese electronic components manufacturer Murata has released an apology Notice for the data breach of thousands of files in June that contained bank account...

Everything about Signalling System 7(SS7)

Signaling System 7 (SS7) is an international telecommunication protocol standard that controls and regulates the network elements in a public switched telephone network (PSTN)....

Zimbra flaw lets attackers access the mail servers

Researchers discovered a flaw in the open-source Zimbra code. As a result, an attacker would gain unrestricted access to all sent and received emails...

More Articles Like This