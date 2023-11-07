The Pakistan-linked hacker group known as SideCopy he saw himself exploited the recent WinRAR security vulnerability in its activities, which go against Indian government entities in order to spread various remote access trojans, such as AllaKore RAT, Ares RAT and DRat.

Enterprise security firm SEQRITE described the campaign as cross-platform, with attacks also designed to infiltrate Linux systems with a compatible version of Ares RAT.

SideCopy, active since at least 2019is known for his attacks to Indian and Afghan government entities; it is suspected to be a subgroup of Transparent Tribealso known as APT36.

“Both SideCopy and APT36 they share infrastructures and codes [malevoli] to hit [a livello informatico] India aggressively“, has declared SEQRITE researcher Sathwik Ram Prakki in a report published on Monday 6 November 2023.

Previously, the group had been connected to a phishing campaign that exploited decoys linked to India’s Defense Research and Development Organization (DRDO) to spread information-stealing malware.

Since then, SideCopy it was also involved in a series of phishing attacks targeting India’s defense sectorwith ZIP archive attachments to spread Action RAT and a new .NET-based trojan that supports 18 different commands.

The new phishing campaigns detected by SEQRITE they involve two different attack chains, each targeting Linux and Windows operating systems.

The first, the attack chain that attacks Linux-based operating systems, is based on a binary file ELF based on Golang which paves the way for a Linux version of Ares RAT (among other things, it can even be downloaded from GitHub, implying that this RAT is among other things, open source, therefore modifiable by anyone capable of programming in GO language) capable of listing files, taking screenshots, downloading and uploading files, among other things.

The second campaign, the one that attacks Windows operating systems, exploits vulnerability CVE-2023-38831, a security flaw in the WinRAR archiving toolto trigger the execution of malicious code, leading to the spread of AllaKore RAT, Ares RAT and two new Trojans called DRat and Key RAT.

“[AllaKore RAT] it has the ability to steal system information, record keystrokes, capture screenshots, upload and download files, and gain remote access to the victim’s machine to send commands and upload stolen data to the C2 [Comando e controllo]”, said Ram Prakki.

DRat is able to interpret up to 13 commands from the C2 server to collect system datadownload and execute additional payloads, and perform other file operations.

The targeting of Linux systems is not accidental and is likely motivated by India’s decision to substitute Microsoft Windows with a Linux version called Maya OS in the government and defense sectors.

“By expanding its arsenal with a zero-day vulnerability, SideCopy consistently targets Indian defense organizations with various remote access Trojans“, Ram Prakki said, adding. “APT36 is constantly expanding its Linux arsenalwhere it is observed sharing its Linux attacks with SideCopy to deploy an open-source Python RAT called Ares.”

Conclusion

Although WinRAR does not exist on Linux (unless you make it work with some kind of “game”. WINE or Proton), the increase in popularity of Linux-based operating systems is slowly also affecting the bad guys who aim at government entities that have decided to replace the window with the penguin; and unfortunately we will have to expect everything if one day, absurdly, Linux systems were to be installed on the same machines as Windows.