Express Computer
Home  »  News  »  Seqrite uncovers coordinated Pakistani APT campaigns targeting Indian Government entities

Seqrite uncovers coordinated Pakistani APT campaigns targeting Indian Government entities

0 75

Seqrite, the enterprise arm of global cybersecurity solutions provider, Quick Heal Technologies Limited, has uncovered and thoroughly analyzed a series of sophisticated cyber campaigns targeting critical Indian government entities. These advanced persistent threats (APTs), linked to multiple Pakistan-based threat actors, represent a significant escalation in cyber operations against India’s defense and infrastructure sectors.

The research, conducted by the APT team at Seqrite Labs, India’s largest malware analysis facility, revealed a complex web of interconnected APT groups, including Transparent Tribe (APT36), SideCopy, and RusticWeb. These groups have been observed sharing infrastructure, tactics, and malware components, indicating a level of coordination previously unseen among these actors. The campaigns specifically targeted the Indian Air Force, shipyards, and ports, demonstrating a clear focus on India’s strategic assets.

A key finding of the investigation was the discovery of open directories hosting malware linked to both Transparent Tribe and SideCopy. Researchers found a single domain hosting payloads for both SideCopy and APT36, targeting Windows and Linux environments respectively. This overlap, along with shared command and control (C2) infrastructure, strongly suggests a convergence of operations among these previously distinct threat actors.

The sophistication of these campaigns is evident in their use of advanced evasion techniques. SideCopy was observed employing updated HTML Application (HTA) files, similar to those used by the SideWinder APT group, to evade detection. The group also introduced new payloads, including a tool called Cheex for document and image theft, a USB copier for exfiltrating files from attached drives, and deployments of FileZilla application and SigThief scripts.

Seqrite’s analysis uncovered several novel malware variants. A new .NET-based payload named Geta RAT was identified, incorporating browser stealing functionality from Async RAT. Another variant, Action RAT, was observed being side-loaded by charmap.exe, a deviation from previously used system binaries. Transparent Tribe was found utilizing a Golang-based downloader targeting Linux systems, fetching a final payload named DISGOMOJI, which showed infrastructure links to SideCopy.

The APT groups demonstrated sophisticated social engineering tactics, leveraging themes such as salary increments, naval project reports, and government documents as lures. Many of these decoys were based on publicly available documents, showcasing the attackers’ efforts to create convincing pretexts for their phishing campaigns. The convergence of tactics among these APT groups represents a significant evolution in the cyber threat landscape facing India. This level of coordination and sophistication demands a reassessment of cybersecurity strategies at the highest levels of government and critical infrastructure.

Seqrite’s research team conducted an in-depth technical analysis of the malware used in these campaigns. They found that the attackers were testing their stager evasion against anti-virus solutions at locations in Pakistan. Concurrently, victim traffic from India, typically observed from C2 servers in Germany, was being routed through IPsec protocol from Pakistani IP addresses, as corroborated by Team Cymru.

The reach of these campaigns was extensive, with Transparent Tribe’s Poseidon malware targeting Linux platforms using themes such as ‘Posting/Transfer under Ph-III of Rotational Transfer’, ‘Blacklist IP Address with TLP & Dates’, and ‘LTC checklist’. The group was also observed using Crimson RAT with ‘Uttarakhand Election Result’ and ‘TDS Claim Summary’ baits.

To combat these threats, Seqrite strongly advises organizations to implement comprehensive security measures. These include deploying and maintaining up-to-date antivirus and anti-malware solutions, implementing strong authentication mechanisms, conducting regular security awareness training, and ensuring all systems and software are promptly updated. Furthermore, Seqrite recommends implementing network segmentation and the principle of least privilege to minimize the potential impact of a breach.

Researchers at Seqrite Labs have provided detailed indicators of compromise and MITRE ATT&CK mappings to aid organizations in detecting and defending against these threats. Seqrite continues to monitor these threat actors and will provide updates as new information becomes available.

Get real time updates directly on you device, subscribe now.

Leave A Reply

Your email address will not be published.

LIVE Webinar

Digitize your HR practice with extensions to success factors

Join us for a virtual meeting on how organizations can use these extensions to not just provide a better experience to its’ employees, but also to significantly improve the efficiency of the HR processes
REGISTER NOW 

Stay updated with News, Trending Stories & Conferences with Express Computer
Follow us on Linkedin
India's Leading e-Governance Summit is here!!! Attend and Know more.
Register Now!
close-image
Attend Webinar & Enhance Your Organisation's Digital Experience.
Register Now
close-image
Enable A Truly Seamless & Secure Workplace.
Register Now
close-image
Attend Inida's Largest BFSI Technology Conclave!
Register Now
close-image
Know how to protect your company in digital era.
Register Now
close-image
Protect Your Critical Assets From Well-Organized Hackers
Register Now
close-image
Find Solutions to Maintain Productivity
Register Now
close-image
Live Webinar : Improve customer experience with Voice Bots
Register Now
close-image
Live Event: Technology Day- Kerala, E- Governance Champions Awards
Register Now
close-image
Virtual Conference : Learn to Automate complex Business Processes
Register Now
close-image