Seqrite检测到的新网络钓鱼活动：SideCopy

The Pakistan-linked threat actor known as SideCopy has been observed leveraging the recent WinRAR security vulnerability in its attacks targeting Indian government entities to deliver various remote access trojans such as AllaKore RAT, Ares RAT, and DRat.

与巴基斯坦相关的威胁行动者SideCopy已被观察到利用最近的WinRAR安全漏洞进行攻击，以交付各种远程访问木马，如AllaKore RAT、Ares RAT和DRat。

Enterprise security firm SEQRITE described the campaign as multi-platform, with the attacks also designed to infiltrate Linux systems with a compatible version of Ares RAT.

企业安全公司SEQRITE将此活动描述为多平台，攻击还旨在渗透具有兼容版本的Ares RAT的Linux系统。

SideCopy, active since at least 2019, is known for its attacks on Indian and Afghanistan entities. It's suspected to be a sub-group of the Transparent Tribe (aka APT36) actor.

SideCopy自至少2019年以来一直活跃，以对印度和阿富汗实体的攻击而闻名。它被怀疑是透明部落（又名APT36）行动者的子组。

"Both SideCopy and APT36 share infrastructure and code to aggressively target India," SEQRITE researcher Sathwik Ram Prakki said in a Monday report.

SEQRITE研究员Sathwik Ram Prakki在周一的一份报告中表示：“SideCopy和APT36共享基础设施和代码，积极攻击印度。”

Earlier this May, the group was linked to a phishing campaign that took advantage of lures related to India's Defence Research and Development Organization (DRDO) to deliver information-stealing malware.

今年5月早些时候，该组织被链接到一场利用与印度国防研究与发展组织（DRDO）相关的诱饵传递窃取信息恶意软件的网络钓鱼活动。

Since then, SideCopy has also been implicated in a set of phishing attacks targeting the Indian defense sector with ZIP archive attachments to propagate Action RAT and a new .NET-based trojan that supports 18 different commands.

从那时起，SideCopy还被牵涉到一系列网络钓鱼攻击中，以ZIP归档附件来传播Action RAT和一款支持18种不同命令的新的.NET Trojan。

The new phishing campaigns detected by SEQRITE entail two different attack chains, each targeting Linux and Windows operating systems.

SEQRITE检测到的新网络钓鱼活动包括两种不同的攻击链，分别针对Linux和Windows操作系统。

The former revolves around a Golang-based ELF binary that paves the way for a Linux version of Ares RAT that's capable of enumerating files, taking screenshots, and file downloading and uploading, among others.

前者涉及基于Golang的ELF二进制文件，为Linux版本的Ares RAT铺平道路，该版本能够枚举文件、截屏、文件下载和上传等操作。

The second campaign, on the other hand, entails the exploitation of CVE-2023-38831, a security flaw in the WinRAR archiving tool, to trigger the execution of malicious code, leading to the deployment of AllaKore RAT, Ares RAT, and two new trojans called DRat and Key RAT.

另一方面，第二次网络钓鱼活动涉及利用WinRAR归档工具中的CVE-2023-38831安全漏洞，触发恶意代码的执行，导致部署AllaKore RAT、Ares RAT和两款名为DRat和Key RAT的新木马。

"[AllaKore RAT] has the functionality to steal system information, keylogging, take screenshots, upload & download files, and take the remote access of the victim machine to send commands and upload stolen data to the C2," Ram Prakki said.

Ram Prakki表示：“[AllaKore RAT]具有窃取系统信息、键盘记录、截屏、上传和下载文件以及控制受害者计算机的远程访问等功能。”

DRat is capable of parsing as many as 13 commands from the C2 server to gather system data, download and execute additional payloads, and perform other file operations.

DRat能够从C2服务器中解析多达13个命令，以收集系统数据、下载和执行附加的有效载荷以及执行其他文件操作。

The targeting of Linux is not coincidental and is likely motivated by India's decision to replace Microsoft Windows with a Linux flavor called Maya OS across government and defense sectors.

针对Linux的攻击不是巧合，很可能是由于印度决定在政府和国防部门使用名为Maya OS的Linux版本取代Microsoft Windows。

"Expanding its arsenal with zero-day vulnerability, SideCopy consistently targets Indian defense organizations with various remote access trojans," Ram Prakki said.

Ram Prakki表示：“SideCopy不断扩大其拥有的零日漏洞武库，积极攻击印度国防机构，部署各种远程访问木马。”

"APT36 is expanding its Linux arsenal constantly, where sharing its Linux stagers with SideCopy is observed to deploy an open-source Python RAT called Ares."

“APT36不断扩展其Linux武器库，观察到它与SideCopy共享其Linux引导程序以部署名为Ares的开源Python RAT。”

原文始发于微信公众号（知机安全）：Seqrite检测到的新网络钓鱼活动：SideCopy