According to a new study, a threat actor suspected of having links with Pakistan is targeting the government and the energy companies in the South and in the Central Asian region, to deploy the remote-access Trojan on the infected Windows operating systems.

“That’s why most of the organizations are showing signs of compromise were in India, and a very small number of them were in Afghanistan, and” Lumen, Black Lotus Labs said on Tuesday In a blogpost.

Some of the victims include a foreign government organization, a power transmission organization, and a power generation organization. The secret operation was said to have been started in at least January 2021. 

The intrusions are notable for several reasons, not least because in addition to its highly-targeted nature, the tactics, techniques, and procedures (TTPs) adopted by the adversary rely on repurposed open-source code and the use of compromised domains in the same country as the targeted entity to host their malicious files.

At the same time, the group has been carefully hidden in their activity by changing the registry keys and gives them the ability to maintain persistence on the device. 

The interpretation of the multi-stage supply chain of infection, Lumen, noted that the campaign that resulted in the victim sending of the two agents, one in memory, while the second one was side-loaded, granting threat actor persistence on the infected workstations.”

The attack begins with a malicious link sent via phishing e-mail messages or emails when clicked, It will download in a ZIP file containing a Microsoft shortcut file (.lnk) and a decoy PDF file from a compromised domain.

With the shortcut of a file, in addition to the description of the document is favorable to something, the receiver also takes care of stealthily fetching and running an HTA (HTML application) file from the same compromised website.

The lure documents largely describe events catering to India, disguising as a user manual for registering and booking an appointment for COVID-19 vaccine through the Cowin online portal, while a few others masquerade as the Bombay Sappers, a regiment of the Corps of Engineers of the Indian Army.

Regardless of the document that is displayed by the victims of the HTA file, which in itself is a JavaScript code, based on a GitHub project called CactusTorch to be used for the implementation of the 32-bit shellcode for a process that is carried out to finally install it .NET back-door is called Reverse Rat, which is a typical spy agent, with the ability to capture screenshots, to complete the implementation of the processes of all of the executable files, perform file operations, and then upload the data to a remote server.

The custom-developed framework also comes with a third component in which a second HTA file is downloaded from the same domain to deploy the open-source AllaKore remote agent, potentially in an alternative attempt to maintain access to the compromised network.

“While this threat actor’s targets have thus far remained within the South and Central Asian regions, they have proven effective at gaining access to networks of interest,” the researchers said. “Despite previously relying upon open-source frameworks such as AllaKore, the actor was able to remain effective and expand its capabilities with the development of the Svchostt agent and other components of the Reverse Rat project.”