Carding 4 Carders
Professional
In their attacks, attackers use the now popular WinRAR vulnerability.
Experts of the Chinese cybersecurity company Hunting Shadow Lab recorded a new cyberattack by the Indian hacker group Sidecopy, which has been operating since 2019. The main targets of the group are traditionally government agencies, military and defense structures in India.
In the new attack, the attackers used two hacking chains connected by a single management server:
Analysis of the contents of the decoy files showed that the attack was again directed at the Indian military and defense structures. Experts note that the use of the WinRAR vulnerability indicates an update to the arsenal of Sidecopy tools. This vulnerability is already actively exploited by various cybercrime groups, one of which we already wrote about just today .
A detailed analysis of the malware used in the attack revealed the following:
Both programs masked their command servers and used different code obfuscation techniques. Hunting Shadow Lab has already integrated rules for detecting malicious programs and malicious infrastructure used in the attack into its products, as well as shared compromise indicators (IoC).
The Sidecopy cyberattack demonstrates the need for comprehensive protection against threats. Technical specialists of organizations should ensure timely updating of vulnerable software to the latest versions (in the case of WinRAR-to version 6.23), competent configuration of security tools, and regular checking of controlled systems for viruses. Users should also be vigilant and avoid launching suspicious files from unknown sources.
Experts of the Chinese cybersecurity company Hunting Shadow Lab recorded a new cyberattack by the Indian hacker group Sidecopy, which has been operating since 2019. The main targets of the group are traditionally government agencies, military and defense structures in India.
In the new attack, the attackers used two hacking chains connected by a single management server:
- Exploiting the CVE-2023-38831 vulnerability in WinRAR to run the AllaKore RAT malware.
- Sending phishing emails with an archived attachment containing a malicious file inside. After launching the malicious Windows shortcut with the LNK extension, a PDF file appears in the foreground, simulating a legitimate document related to the activities of the Indian organization AIANGO. At the same time, the DRAT Trojan is downloaded and launched in the background.
Analysis of the contents of the decoy files showed that the attack was again directed at the Indian military and defense structures. Experts note that the use of the WinRAR vulnerability indicates an update to the arsenal of Sidecopy tools. This vulnerability is already actively exploited by various cybercrime groups, one of which we already wrote about just today .
A detailed analysis of the malware used in the attack revealed the following:
- Allakore RAT, launched through the WinRAR vulnerability, is a typical remote access Trojan that can collect various information about the infected system, upload and download files. It connected to the attackers ' C2 command server at 38[.]242[.]149[.]89.
- DRAT distributed via LNK files is written on the platform .NET and also has extensive capabilities for managing the infected system. Its traffic is securely encrypted and masked.
Both programs masked their command servers and used different code obfuscation techniques. Hunting Shadow Lab has already integrated rules for detecting malicious programs and malicious infrastructure used in the attack into its products, as well as shared compromise indicators (IoC).
The Sidecopy cyberattack demonstrates the need for comprehensive protection against threats. Technical specialists of organizations should ensure timely updating of vulnerable software to the latest versions (in the case of WinRAR-to version 6.23), competent configuration of security tools, and regular checking of controlled systems for viruses. Users should also be vigilant and avoid launching suspicious files from unknown sources.
