SideCopy Using Action RAT and AllaKore RAT to infiltrate Indian Organizations

2023-05-08 13:27

The suspected Pakistan-aligned threat actor known as SideCopy has been observed leveraging themes related to the Indian military research organization as part of an ongoing phishing campaign.

Interestingly, the same attack chains have been observed to load and execute Action RAT as well as an open source remote access trojan known as AllaKore RAT. The latest infection sequence documented by Fortinet is no different, leading to the deployment of an unspecified strain of RAT that's capable of communicating with a remote server and launching additional payloads.

The development is an indication that SideCopy has continued to carry out spear-phishing email attacks that use Indian government and defense forces-related social engineering lures to drop a wide range of malware.

Further analysis of the Action RAT command-and-control infrastructure by Team Cymru has identified outbound connections from one of the C2 server IP addresses to another address 66.219.22[.]252, which is geolocated in Pakistan.

In all, as many as 18 distinct victims in India have been detected as connecting to C2 servers associated with Action RAT and 236 unique victims, again located in India, connecting to C2 servers associated with AllaKore RAT. The latest findings lend credence to SideCopy's Pakistan links, not to mention underscore the fact that the campaign has been successful in targeting Indian users.

"The Action RAT infrastructure, connected to SideCopy, is managed by users accessing the Internet from Pakistan," Team Cymru said.

News URL

https://thehackernews.com/2023/05/sidecopy-using-action-rat-and-allakore.html

#indian #RAT