A threat actor with ties to Pakistan has been observed targeting various sectors in India with various remote access trojans like Xeno RAT, Spark RAT, and a previously undocumented malware family called CurlBack RAT.
The activity, detected by SEQRITE in December 2024, targeted Indian entities under railway, oil and gas, and external affairs ministries, marking an expansion of the hacking crew’s targeting footprint beyond government, defence, maritime sectors, and universities.
“One notable shift in recent campaigns is the transition from using HTML Application (HTA) files to adopting Microsoft Installer (MSI) packages as a primary staging mechanism,” security researcher Sathwik Ram Prakki said.
SideCopy is suspected to be a sub-cluster within Transparent Tribe (aka APT36) that’s active since at least 2019. It’s so named for mimicking the attack chains associated with another threat actor called SideWinder to deliver its own payloads.
In June 2024, SEQRITE highlighted SideCopy’s use of obfuscated HTA files, leveraging techniques previously observed in SideWinder attacks. The files were also found to contain references to URLs that hosted RTF files identified as used by SideWinder.
The attacks culminated in the deployment of Action RAT and ReverseRAT, two known malware families attributed to SideCopy, and several other payloads, including Cheex to steal documents and images, a USB copier to siphon data from attached drives, and a .NET-based Geta RAT that’s capable of executing 30 commands sent from a remote server.
The RAT is equipped to steal both Firefox and Chromium-based browser data of all accounts, profiles, and cookies, a feature borrowed from AsyncRAT.
“APT36 focus is majorly Linux systems whereas SideCopy targets Windows systems adding new payloads to its arsenal,” SEQRITE noted at the time.
The latest findings demonstrate a continued maturation of the hacking group, coming into its own, while leveraging email-based phishing as a distribution vector for malware. These email messages contain various kinds of lure documents, ranging from holiday lists for railway staff to cybersecurity guidelines issued by a public sector undertaking called the Hindustan Petroleum Corporation Limited (HPCL).
One cluster of activity is particularly noteworthy given its ability to target both Windows and Linux systems, ultimately leading to the deployment of a cross-platform remote access trojan known as Spark RAT and a new Windows-based malware codenamed CurlBack RAT that can gather system information, download files from the host, execute arbitrary commands, elevate privileges, and list user accounts.
A second cluster has been observed using the decoy files as a way to initiate a multi-step infection process that drops a custom version of Xeno RAT, which incorporates basic string manipulation methods.
“The group has shifted from using HTA files to MSI packages as a primary staging mechanism and continues to employ advanced techniques like DLL side-loading, reflective loading, and AES decryption via PowerShell,” the company said.
“Additionally, they are leveraging customized open-source tools like Xeno RAT and Spark RAT, along with deploying the newly identified CurlBack RAT. Compromised domains and fake sites are being utilized for credential phishing and payload hosting, highlighting the group’s ongoing efforts to enhance persistence and evade detection.”
