New targeted phishing campaigns are expanding into solutions known as two-factor authentication solutions. Kabach It is used by Indian government officials.
Cybersecurity firm Securonix dubbed the activity. Steppy #Kavachbased on tactical overlap with previous attacks, we attribute to a threat actor known as SideCopy.
“The .LNK file is used to initiate code execution that ultimately downloads and executes a malicious C# payload that acts as a remote access Trojan (RAT),” said a Securonix researcher. Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said. Said in a new report.
side copy, hacking crew Originally from Pakistan and believed to have been active since at least 2019, the person is said to be associated with another actor called the Transparent Tribe (aka APT36 or Mythic Leopard).
It has also been known to spoof the attack chains used by SideWinder. SideWinder is a prolific nation-state group that disproportionately selects Pakistan-based military organizations and deploys its own set of tools.
However, this is not the first time Kavach has been targeted by attackers. In July 2021, Cisco Talos detailed an espionage operation conducted to steal credentials from Indian government officials.
Since then, Kavach-themed decoy apps have been employed by Transparent Tribe in attacks targeting India since earlier this year.
The latest attack sequence Securonix has observed over the past two weeks uses phishing emails to lure potential victims into opening a shortcut file (.LNK) and executing a remote .HTA payload. mshta.exe Windows utility.
According to the company, the HTML application was “hosted on a potentially compromised website and nested within an obscure ‘gallery’ directory designed to store some of the site’s images. It turned out that “
The compromised website in question is incomtaxdelhi.[.]org, the official website of the Income Tax Division of India for the Delhi region. Malicious files are no longer available on the portal.
In the next phase, executing the .HTA file will execute the obfuscated JavaScript code. Announcement One year ago in December 2021 from the Ministry of Defense of India
The JavaScript code also downloads an executable from a remote server, establishes persistence by modifying the Windows registry, and reboots the machine to automatically launch the binary post startup.
The binary file acts as a backdoor that allows it to execute commands sent from an attacker-controlled domain, retrieve and execute additional payloads, take screenshots, and exfiltrate files.
The extraction component also includes an option to specifically search for the database file (“kavach.db”) created by the Kavach app on your system to store your credentials.
The aforementioned infection chain is disclosed MalwareHunterTeam referred to the remote access Trojan as MargulasRAT in a series of tweets dated December 8, 2022.
“Based on correlation data from binary samples taken from RATs used by threat actors, this campaign is directed against targets in India that went undetected last year,” said the researchers.