The Pakistan-based cyber threat group known as SideCopy has recently exploited a critical vulnerability in WinRAR to conduct targeted attacks against Indian governmental institutions, deploying various remote access trojans (RATs) such as AllaKore RAT, Ares RAT, and DRat. This strategy aligns with SideCopy’s longstanding focus on espionage against entities in India and Afghanistan.
Enterprise security firm SEQRITE characterized this threat campaign as multi-platform, aimed at compromising both Windows and Linux systems. Notably, the Linux variant of Ares RAT is designed to infiltrate Linux systems, suggesting an adaptive approach to the evolving technological environment in government sectors.
SideCopy has been operational since at least 2019, and it is believed to be a subset of the larger Transparent Tribe (also known as APT36). This actor has been recognized for its aggressive operational tactics against Indian targets, with SEQRITE researcher Sathwik Ram Prakki emphasizing the shared infrastructure and coding practices between SideCopy and APT36 as a testament to their collaborative targeting efforts.
Earlier this year, SideCopy was linked to a phishing campaign centered around India’s Defence Research and Development Organization (DRDO), utilizing social engineering tactics to deliver information-stealing malware. More recently, the group has also been implicated in a series of phishing attacks directed at the Indian defense sector, employing ZIP file attachments to disseminate Action RAT and a new .NET-based trojan that supports multiple commands.
These latest phishing efforts have unveiled two distinct attack vectors targeting both Linux and Windows operating systems. The first vector involves distributing a Golang-based ELF binary to deploy the Linux-compatible Ares RAT, which is capable of performing functions like file enumeration, taking screenshots, and manipulating files. The second attack vector exploits CVE-2023-38831, a vulnerability within the WinRAR archiving tool, enabling threat actors to execute malicious commands and deploy various RATs, including AllaKore RAT and DRat.
According to Ram Prakki, AllaKore RAT possesses functionalities that allow it to steal system information, capture keystrokes, take screenshots, and remotely access victim machines to carry out commands and transfer stolen data to command and control servers. Meanwhile, DRat is notable for its ability to execute up to 13 distinct commands to gather system data and deploy additional payloads.
The targeting of Linux systems by SideCopy is not a coincidence; it is closely tied to India’s initiative to transition from Microsoft Windows to a Linux-based operating system known as Maya OS within its government and defense sectors. This shift underscores the actors’ intent to adapt their methodologies and tools in response to changes in the target environment.
As SideCopy continues to expand its capabilities, leveraging zero-day vulnerabilities, the group remains a persistent threat to Indian defense organizations, as evidenced by its deployment of various remote access trojans. Current observations suggest that APT36 is also enhancing its Linux-focused arsenal, potentially sharing its tools with SideCopy to further its infiltration efforts.
