/
3 mins read

Seqrite Uncovers Coordinated Pakistani APT Campaigns Targeting Indian Government Entities

Pune, 21st August 2024: Seqrite, the enterprise arm of global cybersecurity solutions provider, Quick Heal Technologies Limited, has uncovered and thoroughly analyzed a series of sophisticated cyber campaigns targeting critical Indian government entities. These advanced persistent threats (APTs), linked to multiple Pakistan-based threat actors, represent a significant escalation in cyber operations against India’s defense and infrastructure sectors.

The research, conducted by the APT team at Seqrite Labs, India’s largest malware analysis facility, revealed a complex web of interconnected APT groups, including Transparent Tribe (APT36), SideCopy, and RusticWeb. These groups have been observed sharing infrastructure, tactics, and malware components, indicating a level of coordination previously unseen among these actors. The campaigns specifically targeted the Indian Air Force, shipyards, and ports, demonstrating a clear focus on India’s strategic assets.

A key finding of the investigation was the discovery of open directories hosting malware linked to both Transparent Tribe and SideCopy. Researchers found a single domain hosting payloads for both SideCopy and APT36, targeting Windows and Linux environments respectively. This overlap, along with shared command and control (C2) infrastructure, strongly suggests a convergence of operations among these previously distinct threat actors.

The sophistication of these campaigns is evident in their use of advanced evasion techniques. SideCopy was observed employing updated HTML Application (HTA) files, similar to those used by the SideWinder APT group, to evade detection. The group also introduced new payloads, including a tool called Cheex for document and image theft, a USB copier for exfiltrating files from attached drives, and deployments of FileZilla application and SigThief scripts.

Seqrite’s analysis uncovered several novel malware variants. A new .NET-based payload named Geta RAT was identified, incorporating browser stealing functionality from Async RAT. Another variant, Action RAT, was observed being side-loaded by charmap.exe, a deviation from previously used system binaries. Transparent Tribe was found utilizing a Golang-based downloader targeting Linux systems, fetching a final payload named DISGOMOJI, which showed infrastructure links to SideCopy.

The APT groups demonstrated sophisticated social engineering tactics, leveraging themes such as salary increments, naval project reports, and government documents as lures. Many of these decoys were based on publicly available documents, showcasing the attackers’ efforts to create convincing pretexts for their phishing campaigns. The convergence of tactics among these APT groups represents a significant evolution in the cyber threat landscape facing India. This level of coordination and sophistication demands a reassessment of cybersecurity strategies at the highest levels of government and critical infrastructure.

Seqrite’s research team conducted an in-depth technical analysis of the malware used in these campaigns. They found that the attackers were testing their stager evasion against anti-virus solutions at locations in Pakistan. Concurrently, victim traffic from India, typically observed from C2 servers in Germany, was being routed through IPsec protocol from Pakistani IP addresses, as corroborated by Team Cymru.

The reach of these campaigns was extensive, with Transparent Tribe’s Poseidon malware targeting Linux platforms using themes such as ‘Posting/Transfer under Ph-III of Rotational Transfer’, ‘Blacklist IP Address with TLP & Dates’, and ‘LTC checklist’. The group was also observed using Crimson RAT with ‘Uttarakhand Election Result’ and ‘TDS Claim Summary’ baits.

To combat these threats, Seqrite strongly advises organizations to implement comprehensive security measures. These include deploying and maintaining up-to-date antivirus and anti-malware solutions, implementing strong authentication mechanisms, conducting regular security awareness training, and ensuring all systems and software are promptly updated. Furthermore, Seqrite recommends implementing network segmentation and the principle of least privilege to minimize the potential impact of a breach.

Researchers at Seqrite Labs have provided detailed indicators of compromise and MITRE ATT&CK mappings to aid organizations in detecting and defending against these threats. Seqrite continues to monitor these threat actors and will provide updates as new information becomes available.

For comprehensive protection against these and other emerging cyber threats, visit www.seqrite.com to learn about our advanced enterprise cybersecurity solutions.

About Seqrite

Seqrite is a leading enterprise cybersecurity solutions provider. With a focus on simplifying cybersecurity, Seqrite delivers comprehensive solutions and services through our patented, AI/ML-powered tech stack to protect businesses against the latest threats by securing devices, applications, networks, cloud, data, and identity. Seqrite is the Enterprise arm of the global cybersecurity brand, Quick Heal Technologies Limited, the only listed cybersecurity products and solutions company in India.

We are the first and only Indian company to have solidified India’s position on the global map by collaborating with the Govt. of the USA on its NIST NCCoE’s Data Classification project. We are differentiated by our easy-to-deploy, seamless-to-integrate comprehensive solutions providing the highest level of protection against emerging and sophisticated threats powered by state-of-the-art threat intelligence and playbooks backed by world-class service provided by best-in-class security experts at India’s largest malware analysis lab – Seqrite Labs. We are the only Indian full-stack company aligned with CSMA architecture recommendations, offering award-winning Endpoint Protection, Enterprise Mobility Management, Zero Trust Network Access, and many more. Seqrite Data Privacy management solution enables organizations to stay fully compliant with the DPDP Act and global regulations.

Today, 30,000+ enterprises in more than 76 countries trust Seqrite with their cybersecurity needs. For more information, please visit: https://www.seqrite.com/

About Quick Heal Technologies Limited

Quick Heal Technologies Ltd. is a global cybersecurity solutions provider. Each Quick Heal product is designed to simplify IT security management across the length and depth of devices and on multiple platforms. They are customized to suit consumers, small businesses, government establishments, and corporate houses. Over a span of nearly 3 decades, the company’s R&D has focused on computer and network security solutions.

The current portfolio of cloud-based security and advanced machine learning-enabled solutions stops threats, attacks, and malicious traffic before it strikes. This considerably reduces the system resource usage. The security solutions are indigenously developed in India. Quick Heal Antivirus Solutions, Quick Heal Scan Engine, and the entire range of Quick Heal products are proprietary items of Quick Heal Technologies Ltd.

Leave a Reply