Days after reports of cyberespionage campaigns by Chinese state-sponsored actors targeting the Indian power sector, security researchers uncovered a new cyber operation by suspected Pakistani hackers. Cybersecurity firm Lumen’s Black Lotus Labs recently uncovered a new remote access trojan (RAT), dubbed ReverseRat, targeting public and private energy companies in the South and Central Asia regions. Along with ReverseRat, threat actors also deployed an open-source RAT known as AllaKore to compromise targeted machines and obtain access.
The most affected organizations in the campaign are based in India, followed by a small number of organizations in Afghanistan. Lumen suspects Pakistan state-sponsored actors are likely behind this campaign, which is said to have begun in January 2021.
The ReverseRat campaign uses advanced techniques to evade detection from security scans. These include:
- Leveraging compromised domains to store malicious files
- Selecting high-profile victims after compromising their domains
- Using repurposed open-source code and In-memory component during initial access
- Alteration of registry keys to stealthily access the targeted device
ReverseRat Infection Chain
- First, attackers send specially crafted malicious URLs to the targets.
- Once the victim clicks on the link, it automatically downloads a .zip file containing a Microsoft shortcut file (.lnk) and a benign PDF file.
- The zip file then deploys two HTA files named CactusTorch and preBotHta , which contain malicious JavaScript code.
- Finally, ReverseRat starts its execution.
“While this threat actor’s targets have thus far remained within the South and Central Asian regions, they have proven effective at gaining access to networks of interest. Despite previously relying upon open-source frameworks such as AllaKore, the actor was able to remain effective and expand its capabilities with the development of the Svchostt agent and other components of the ReverseRat project. We assess that as the actor continues to develop these capabilities, utilize compromised domains, and refine these multi-step infection processes, it will pose a real threat to organizations in and beyond these regions. While this actor is not as sophisticated as the most-skilled state-sponsored actors, it should be continually monitored,” Lumen said.
