New SideCopy attacks exploit WinRAR vulnerability. According to The Hacker News, Indian government organisations were subjected to two new attack campaigns by the Pakistan-linked advanced persistent threat operation SideCopy, one of which involved the exploitation of a WinRAR security vulnerability, aimed at facilitating the deployment of various remote access trojans.
SideCopy, a Pakistan-linked threat actor, has been spotted using the latest WinRAR security vulnerability in its assaults against Indian government agencies to deploy several remote access trojans such as AllaKore RAT, Ares RAT, and DRat.
The effort, according to enterprise security firm SEQRITE, is multi-platform, with the attacks also aimed to infiltrate Linux systems with a compatible version of Ares RAT.
New SideCopy attacks exploit WinRAR vulnerability
While SideCopy, suspected to be a subgroup of APT36, also known as Transparent Tribe, used an ELF binary to launch the Ares RAT payload with file enumeration, screenshot capturing, and file uploading and downloading capabilities against Linux systems, intrusions against Windows systems used the WinRAR bug, tracked as CVE-2023-38831, to launch not only Ares RAT but also AllaKore RAT and the novel DRat and Key RAT
According to researcher Sathwik Ram Prakki, in addition to system data exfiltration and keylogging, AllaKore RAT might offer file uploads and downloads as well as remote system access, whereas DRat could allow extra payload downloads and execution.
The use of Linux is not by chance and is most likely driven by India’s decision to replace Microsoft Windows with a Linux flavour known as Maya OS throughout government and defence sectors.
“Expanding its arsenal with zero-day vulnerability, SideCopy consistently targets Indian defence organisations with various remote access trojans,” according to Ram Prakki.
“APT36 is expanding its Linux arsenal constantly, where sharing its Linux stagers with SideCopy is observed to deploy an open-source Python RAT called Ares.”