Pakistani SideCopy launched 3 recent campaigns deploying AllaKore remote access trojan, while Transparent Tribe used Crimson RAT variants
Heightened threat to national security and integrity of electoral processes
Attacks aim to compromise systems and establish persistent access via sophisticated malware like AllaKore and Crimson RAT
Amidst heightened concerns over potential interference in India’s general elections, Seqrite, the enterprise arm of global cybersecurity solutions provider, Quick Heal Technologies Limited, has uncovered an alarming escalation in cyberattacks orchestrated by Pakistan-linked advanced persistent threat (APT) groups targeting crucial Indian government and military entities. Seqrite’s elite APT research team has been meticulously monitoring these malicious campaigns, unveiling critical insights into the ever-evolving tactics, techniques, and procedures (TTPs) employed by the adversaries.
At the forefront of these attacks is SideCopy, a formidable Pakistan-based APT group that has persistently targeted South Asian countries, with a laser-focus on compromising Indian defense and government organizations since at least 2019. In recent weeks alone, Seqrite has detected three distinct campaigns launched by this group, each characterized by the deployment of two instances of the AllaKore remote access trojan (RAT) as the final malicious payload.
Simultaneously, Transparent Tribe (APT36), SideCopy’s overarching parent APT entity, has been relentlessly utilizing advanced variants of the Crimson RAT, a sophisticated .NET-based remote access tool designed for extensive system control and persistent access. Transparent Tribe has consistently targeted India since its emergence in 2013.
The intensifying cyberattack campaigns spearheaded by these Pakistani APT groups represent a severe and escalating threat to our national security, especially in light of the ongoing general elections. Seqrite’s findings not only expose the cutting-edge offensive tactics being leveraged by the adversaries but also unveil the deep-rooted connections between different threat groups. This necessitates a coordinated and proactive cybersecurity posture across all critical infrastructure to safeguard the integrity of our democratic processes.
The infection chains dissected by Seqrite typically commence with carefully crafted spear-phishing emails delivering malicious attachments or links that exploit vulnerabilities to gain initial footholds within target networks. Once compromised, these entry points are then leveraged to deploy an array of malware payloads, including the AllaKore and Crimson RATs, granting the attackers extensive remote control and unfettered access to infected systems.
Through its comprehensive analysis, Seqrite has uncovered significant code overlaps and shared infrastructure between SideCopy and Transparent Tribe, further reinforcing the direct connection between these groups. The research also exposed APT36’s adoption of obfuscation techniques like .NET Reactor to enhance the evasiveness and persistence of their malware implants.
The persistent targeting of Indian government and defense entities by Pakistani APT groups is not a new phenomenon. However, the recent surge in attack volumes and the escalating sophistication of the adversaries’ TTPs, particularly in the run-up to the general elections, represent a substantial escalation in the evolving cyber threat landscape faced by the nation.
Seqrite strongly advises organizations, especially those involved in the electoral process, to implement robust cybersecurity measures as an immediate priority. This includes ensuring regular software updates, deploying advanced email filtering and web security solutions, and conducting comprehensive security awareness training to educate employees on identifying and mitigating social engineering tactics. Furthermore, Seqrite recommends the adoption of multi-factor authentication mechanisms, the conduct of regular security assessments and penetration testing exercises, and the establishment of comprehensive incident response plans to minimize the potential impact of successful breaches.
