Exploiting a WinRAR Vulnerability, SideCopy Conducts Attacks Against Indian Government Institutions

In recent developments, a Pakistan-linked threat actor known as SideCopy has been observed utilizing a recent WinRAR security vulnerability to target Indian government entities. This campaign has raised concerns, as SideCopy is believed to be a sub-group of Transparent Tribe, also known as APT36. Both groups have shared infrastructure and code, making their attacks particularly aggressive when directed at India. In this blog, we will delve into the tactics employed by SideCopy, its latest campaign, and provide some remediation steps to bolster your organization’s security.

Understanding the Threat:

SideCopy, active since at least 2019, has a history of launching cyberattacks against Indian and Afghan entities. Their recent campaign involves leveraging the WinRAR security flaw and delivering various remote access trojans such as AllaKore RAT, Ares RAT, and DRat, among others. This campaign is notable for its multi-platform nature, targeting both Windows and Linux systems.

The Tactics:

  • Linux Infiltration: The attacks are designed to infiltrate Linux systems, a move that is likely motivated by India’s decision to replace Microsoft Windows with a Linux-based operating system known as Maya OS across government and defense sectors.
  • Phishing Campaigns: SideCopy has been implicated in phishing campaigns targeting the Indian defense sector. These campaigns often use enticing lures related to organizations like India’s Defence Research and Development Organization (DRDO) to deliver information-stealing malware.
  • Malware Payloads: The malware payloads delivered by SideCopy include AllaKore RAT, Ares RAT, DRat, and Key RAT. These trojans are capable of a wide range of malicious activities, such as stealing system information, keylogging, taking screenshots, and file uploading and downloading.

Remediation Steps:

To safeguard your organization against such threats, consider the following remediation steps:

  • Patch Management: Stay vigilant about security patches and updates for your software and operating systems. Regularly update your systems to mitigate known vulnerabilities.
  • Email Security: Strengthen email security by implementing robust filtering mechanisms to detect and block phishing attempts. Train your employees to recognize and report phishing emails
  • Endpoint Security: Employ reliable endpoint security solutions to detect and prevent malware infections. Regularly scan and monitor your systems for suspicious activities.
  • Network Segmentation: Segregate your network to limit lateral movement of attackers. Isolate sensitive systems and data from the rest of your network.
  • User Awareness: Continuously educate your staff about cybersecurity best practices. Awareness and training can help employees identify and avoid potential threats.
  • Incident Response Plan: Develop a comprehensive incident response plan to react swiftly in case of a security breach. This plan should include steps for containment, eradication, and recovery.
  • Monitoring and Detection: Implement advanced threat detection tools to monitor network traffic for unusual activities. Promptly investigate any suspicious behavior.

Conclusion:

The threat landscape is constantly evolving, and threat actors like SideCopy are actively targeting organizations. It’s crucial to remain proactive and vigilant in your organization’s cybersecurity efforts. By following these remediation steps and staying informed about the latest threats, you can bolster your defenses and minimize the risk of falling victim to such attacks.