New research reveals a sophisticated cyber campaign orchestrated by an actor with suspected connections to Pakistan, targeting government and energy sectors in South and Central Asia. The threat actor has primarily focused on deploying a remote access Trojan on compromised Windows systems, aimed at infiltrating sensitive networks.
According to a recent analysis by Lumen’s Black Lotus Labs, the majority of organizations affected by this compromise are situated in India, with a smaller number located in Afghanistan. Notably, these targets encompass a variety of entities, including a foreign government agency and key players in power generation and transmission. The operation appears to have commenced as early as January 2021.
This intrusion emphasizes a highly-targeted approach, utilizing tactics, techniques, and procedures (TTPs) that incorporate repurposed open-source code. The threat actors are notably leveraging compromised domains located in the same country as the targets to host their malicious payloads, thereby enhancing their stealth and effectiveness.
In their analysis, Lumen highlights that the attackers have been adept at modifying registry keys to establish persistence on compromised devices while minimizing their operational footprint. An intricate multi-step infection chain was identified: victims are tricked into downloading malicious agents that allow the actor continued access to the infected systems.
The initial phase of the attack typically begins with phishing emails containing malicious links. Upon interaction, these links trigger the download of a ZIP archive that houses a Microsoft shortcut file and a decoy PDF document. This tactic cleverly disguises the malicious operations as legitimate, fostering trust from the target.
Within the observable payload, the HTA (HTML Application) file downloads and executes via a seemingly innocuous shortcut, ultimately facilitating the installation of a .NET backdoor named ReverseRat. This malware is equipped with a range of espionage capabilities, including screenshot capture, process termination, arbitrary executable execution, and file handling, with all data exfiltrated to a remote server.
The attackers have further developed their arsenal, integrating a second HTA file to deploy an open-source remote agent known as AllaKore, providing additional pathways for maintaining access to the compromised infrastructure. The ongoing evolution of these tactics underscores the continuing sophistication of the threat landscape.
Despite the focus on South and Central Asia for now, the researchers note the actor’s capacity to infiltrate networks of high interest, often utilizing open-source frameworks to enhance their operational capabilities. The advancements exhibited in the Svchostt agent and other components signify a concerning trend in cyber operations.
