Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Researchers Warn of ReverseRAT Backdoor Targeting Indian Government Agencies

Feb 21, 2023Ravie LakshmananCyber Threat / Cyber Attack

A spear-phishing campaign targeting Indian government entities aims to deploy an updated version of a backdoor called ReverseRAT.

Cybersecurity firm ThreatMon attributed the activity to a threat actor tracked as SideCopy.

SideCopy is a threat group of Pakistani origin that shares overlaps with another actor called Transparent Tribe. It is so named for mimicking the infection chains associated with SideWinder to deliver its own malware.

The adversarial crew was first observed delivering ReverseRAT in 2021, when Lumen’s Black Lotus Labs detailed a set of attacks targeting victims aligned with the government and power utility verticals in India and Afghanistan.

Recent attack campaigns associated with SideCopy have primarily set their sights on a two-factor authentication solution known as Kavach (meaning “armor” in Hindi) that’s used by Indian government officials.

The infection journey documented by ThreatMon commences with a phishing email containing a macro-enabled Word document (“Cyber Advisory 2023.docm”).

The file masquerades as a fake advisory from India’s Ministry of Communications about “Android Threats and Preventions.” That said, most of the content has been copied verbatim from an actual alert published by the department in July 2020 about best cybersecurity practices.

Once the file is opened and macros are enabled, it triggers the execution of malicious code that leads to the deployment of ReverseRAT on the compromised system.

“Once ReverseRAT gains persistence, it enumerates the victim’s device, collects data, encrypts it using RC4, and sends it to the command-and-control (C2) server,” the company said in a report published last week.

“It waits for commands to execute on the target machine, and some of its functions include taking screenshots, downloading and executing files, and uploading files to the C2 server.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related News

Researcher create polymorphic Blackmamba malware with ChatGPT

Researcher create polymorphic Blackmamba malware with ChatGPT

The malware can target Windows, macOS and Linux devices. HYAS Institute researcher and cybersecurity expert, Jeff Sims, has developed a…
Owner of Breach Forums Pompompurin Arrested in New York

Owner of Breach Forums Pompompurin Arrested in New York

Pompompurin has been charged with a single count of conspiracy to commit access device fraud. Conor Brian Fitzpatrick (aka Pompompurin,…
New Vishing Attack Spreading FakeCalls Android Malware

New Vishing Attack Spreading FakeCalls Android Malware

The attack scheme begins with the FakeCalls malware masquerading as an online banking application of a reputable South Korean financial…