A recent surge in cyber attacks linked to Pakistani hackers has targeted various sectors in India, utilizing advanced remote access trojans (RATs) such as CurlBack RAT and Spark RAT. This escalation marks a significant shift in tactics, expanding their focus beyond traditional government and defense sectors to include critical infrastructure and public services.

Key Takeaways

• Targeted Sectors: Indian railway, oil and gas, and external affairs ministries are among the new targets.

• New Malware: Introduction of CurlBack RAT and Spark RAT, capable of cross-platform attacks.

• Evolving Tactics: Shift from HTML Application (HTA) files to Microsoft Installer (MSI) packages for malware distribution.

• Phishing Techniques: Use of email-based phishing with decoy documents to initiate infections.

Overview of the Cyber Threat

The hacking group, suspected to be a sub-cluster of the Transparent Tribe (also known as APT36), has been active since at least 2019. Their recent activities, detected by cybersecurity firm SEQRITE, indicate a strategic expansion of their targeting capabilities. Previously focused on government and educational institutions, the group is now infiltrating critical sectors that could have broader implications for national security.

New Malware Capabilities

The newly identified CurlBack RAT is particularly concerning due to its extensive capabilities, which include:

• System Information Gathering: Collects detailed information about the infected system.

• File Management: Can download files from the host and execute arbitrary commands.

• Privilege Escalation: Capable of elevating user privileges to gain deeper access.

• User Account Listing: Lists all user accounts on the infected machine.

In addition to CurlBack RAT, the Spark RAT has been noted for its ability to operate across both Windows and Linux systems, showcasing the hackers' versatility and adaptability in their attack strategies.

Shift in Attack Vectors

One of the most notable changes in the hackers' approach is the transition from using HTA files to MSI packages as their primary method for staging malware. This shift allows for more sophisticated delivery mechanisms and enhances their ability to evade detection. The group has also employed advanced techniques such as:

• DLL Side-Loading: A method to load malicious code into legitimate processes.

• Reflective Loading: A technique that allows for the execution of code without writing it to disk.

• AES Decryption via PowerShell: Used to decrypt payloads dynamically during execution.

Phishing and Decoy Documents

The hackers have been leveraging email-based phishing campaigns to distribute their malware. These emails often contain decoy documents that appear legitimate, such as:

• Holiday lists for railway staff.

• Cybersecurity guidelines from public sector organizations like Hindustan Petroleum Corporation Limited (HPCL).

This tactic not only helps in bypassing security measures but also increases the likelihood of successful infections by enticing targets to open the malicious attachments.

The recent activities of Pakistan-linked hackers underscore the evolving landscape of cyber threats facing India. With their expanded targeting and sophisticated malware capabilities, these hackers pose a significant risk to critical infrastructure and national security. As the situation develops, it is crucial for organizations to enhance their cybersecurity measures and remain vigilant against such threats.

As cybercriminals continue to adapt their strategies, awareness and education remain crucial in combating these threats. Cybersecurity is critical. BetterWorld Technology offers cutting-edge solutions to combat evolving threats while driving innovation. Protect your business with confidence—contact us today for a consultation!

Sources

• Pakistan-Linked Hackers Expand Targets in India with CurlBack RAT and Spark RAT, The Hacker News.