Suspected Pakistani Actor Compromises Indian Power Company With New ReverseRat

Black Lotus Labs has discovered a new ReverseRat remote access Trojan that targets government and energy organizations in South and Central Asia. Supposedly, the operating infrastructure of the cybercriminal group is located in Pakistan.

In addition to ReverseRat, criminals install an open-source RAT called AllaKore in parallel on systems to infect other systems and ensure persistence.

In the first phase of the campaign, the criminals, presumably through emails, sent victims URLs that redirected them to compromised websites. According to experts from Black Lotus Labs, the attackers decided to use the hacked domains in the same country as the attacked organization in order to avoid detection and disguise themselves among the standard web browsing activity on the network.

Clicking on the links downloaded a .zip archive containing a Microsoft file shortcut (.lnk) and a PDF file. When launching a shortcut, a PDF file was displayed, distracting the user’s attention. At the same time, the .lnk was secretly extracting and running an HTA file (HTML application) from the compromised website.

Organizations and events related to the events in India in spring 2021 were mentioned in the fake PDFs. Some of the papers or decoys had a more general theme and related to COVID-19 vaccination, while others were related to the energy sector.

In the next phase of the attack, an HTA file containing JavaScript code based on a GitHub project called CactusTorch launched the .NET program preBotHta.pdb, which the group has been using since 2019. The 2021 version of the preBotHta file had two notable features: it was executed entirely in memory, and it could also change the location of the ReverseRat if a certain antivirus product was running on the compromised system.

Then preBotHta launched ReverseRat, which, through Windows Management Instrumentation (WMI), collected information about the MAC address, physical memory on the device, processor (maximum clock frequency, name, manufacturer), etc. The malware encrypted data using an RC4 key and sent it to C&C server.

The second HTA file contained a coded command to modify a registry key, a bootloader, and an AllaKore tool that provided access to the compromised network.

Analyzing the campaign, experts have identified similarities with the techniques, tactics and procedures used in an operation called Operation SideCopy, organized by the Pakistani APT group Transparent Tribe last year. Whether the two groups are related, the experts did not clarify.

Catch up on more articles here

Follow us on Twitter here

Popular

Must read

MORE ON THIS TOPIC:

Related Posts