Evolving Cyber Threats: New Malicious Campaigns Target India
Overview of Recent Attacks
Recent cybersecurity reports reveal a coordinated attack on Indian government organizations by a hacking group with links beyond Pakistan. This group utilizes a modified version of a remote access trojan (RAT) named DRAT, with the campaign attributed to a threat actor known as TAG-140. This collective is believed to overlap with SideCopy, which operates under larger frameworks such as Transparent Tribe.
According to an analysis from Recorded Future’s Insikt Group, TAG-140 has shown a trend of continuous improvement in its malware arsenal and delivery strategies. Their latest attack involved impersonating the Indian Ministry of Defence through a counterfeit press release portal, signifying a subtle shift in both malware structure and command-and-control (C2) operations.
The New DRAT Version: Features and Functions
The latest iteration, known as DRAT V2, joins SideCopy’s suite of RAT tools, which already includes several other RAT variants like Action RAT and Ares RAT. This newly updated DRAT V2 introduces a command for executing arbitrary shell commands, enhancing its versatility in post-exploitation scenarios.
Additionally, it incorporates obfuscation techniques to mask its C2 IP addresses through Base64 encoding, and updates its proprietary TCP protocol to accept commands in both ASCII and Unicode. However, the server itself only provides responses in ASCII, simplifying detection methods.
Recorded Future noted that DRAT V2 opts for reduced string obfuscation, suggesting a focus on reliability in parsing command headers over stealth. The absence of advanced anti-analysis features implies that DRAT V2’s infection and persistence mechanisms are simpler, potentially making it identifiable through basic static and behavioral analysis techniques.
Targeting Stretch: Beyond Government Sectors
TAG-140’s attacks have broadened beyond the traditional realms of government, defense, and education, now reaching organizations in the railway, oil and gas industries, and ministries involved in external affairs. This expansion, noted by cybersecurity analysts, indicates a growing sophistication and adaptability in the group’s tactics.
The infection strategy employed involves cloning the Indian Ministry of Defence’s official press release portal, leading unsuspecting users to a malicious .NET-based version of DRAT. This approach not only captures sensitive information but also complicates detection and attribution efforts, showcasing the evolving playbook of the threat actor.
The Sequence of Infection Initiated by DRAT
The attack leverages a "ClickFix" method, where a singular link on the spoofed website initiates a multifaceted infection cycle. Once clicked, the malicious command is copied to the clipboard, tricking the victim into executing it via a command shell. This process fetches an HTML Application (HTA) file from an external server, subsequently executed by mshta.exe. A dedicated loader, BroaderAspect, is then used to download and launch DRAT V2 alongside a decoy PDF file, setting new persistence layers in the Windows Registry.
Such tactics provide the adversary with consistent and flexible control over compromised systems, enabling various types of automated and interactive post-exploitation activities.
Insights into APT36 Activities
In a related vein, APT36 has ramped up its operations during times of geopolitical tension, particularly relating to the India-Pakistan conflict. Reports by Seqrite Labs highlight the deployment of Ares RAT among other tools to gain comprehensive remote access to critical systems.
Phishing attempts targeting Indian defense personnel have escalated, often disguised as legitimate purchase orders from the National Informatics Centre. The phishing emails entice recipients to click embedded links within malicious PDF files. This interaction can lead to the stealthy download of an executable disguised with a misleading file extension, thereby allowing extensive surveillance and data theft.
Additional Threats: Confucius and New Malware Variants
Separate from TAG-140 and APT36, a different cyber espionage group known as Confucius has also upped its game recently, deploying an information stealer named WooperStealer and a modular backdoor called Anondoor. This group has operated primarily against Indian military and government sectors since 2013, utilizing advanced techniques to penetrate defenses.
Confucius’s new tactics include using Windows Shortcut (LNK) files to launch their backdoor, utilizing DLL side-loading mechanisms for increased stealth. This attack vector leads to the collection of system information before fetching WooperStealer from a remote location, allowing the hacker to take control and execute various operations on the compromised systems.
Conclusion
The current landscape of cyber threats targeting India reflects a striking evolution in tactics and tools utilized by adversarial groups. With enhancements in malware capabilities and diversification in targeting, organizations must remain vigilant in defense strategies. The rise of sophisticated phishing attacks and the adaptability of threat actors underline an ongoing need for robust cybersecurity measures to protect sensitive information from these persistent threats.
