A refined hacking group linked toPakistan has been identified as targeting Indian government institutions with an enhanced version of a remote access trojan (RAT) known as DRAT.
The Insikt Group at Recorded Future attributes the activity to a threat actor known as TAG-140, which is believed to be closely associated with SideCopy, a well-known adversarial collective.
According to Recorded Future, “TAG-140 consistently demonstrates iterative advancement and diversification in its malware arsenal and delivery techniques.” The company adds that the latest campaign marks a noteworthy shift in both malware architecture and command-and-control (C2) functionality.
The updated DRAT, now referred to as DRAT V2, represents the most recent addition to SideCopy’s RAT arsenal, which also includes other tools like Action RAT, AllaKore RAT, Ares RAT, CurlBack RAT, ReverseRAT, Spark RAT, and Xeno RAT, designed to infect Windows and Linux systems.
The attack activity showcases the adversary’s evolving tactics, highlighting their ability to adapt and diversify their RAT malware suite to harvest sensitive data, complicate attribution, and evade detection and monitoring efforts.
Attacks orchestrated by the threat actor have expanded their targeting scope beyond government, defense, maritime, and academic sectors to include organizations affiliated with the country’s railway, oil and gas, and external affairs ministries. The group is known to have been active since at least 2019.
Recorded Future documents an infection sequence that leverages a ClickFix-style approach. This method spoofs the Indian Ministry of Defence’s official press release portal to drop a .NET-based version of DRAT to a new Delphi-compiled variant.
The fake website contains one active link that, when clicked, initiates an infection sequence. This sequence surreptitiously copies a malicious command to the machine’s clipboard, urging the victim to paste and execute it by launching a command shell.
This action leads to the retrieval of an HTML Application (HTA) file from an external server (“trade4wealth[.]in”), which is then executed by means of mshta.exe to launch a loader called BroaderAspect. The loader is responsible for downloading and launching a decoy PDF, setting up persistence through Windows Registry changes, and downloading and running DRAT V2 from the same server.
DRAT V2 introduces a new command for arbitrary shell command execution, enhancing its post-exploitation flexibility. It also obfuscates its C2 IP addresses using Base64-encoding and updates its custom server-initiated TCP protocol to support commands input in both ASCII and Unicode. However, the server only responds in ASCII, whereas the original DRAT requires Unicode for both input and output.
Recorded Future notes that “DRAT V2 reduces string obfuscation by keeping most command headers in plaintext, likely prioritizing parsing reliability over stealth.” DRAT V2 lacks advanced anti-analysis techniques and relies on basic infection and persistence methods, making it detectable via static and behavioral analysis.
Other known capabilities of DRAT V2 allow it to perform a wide range of actions on compromised hosts, including conducting reconnaissance, uploading additional payloads, and exfiltrating data.
“These functions provide TAG-140 with persistent, flexible control over the infected system and enable both automated and interactive post-exploitation activity without requiring auxiliary malware tools,” the company said.
“DRAT V2 appears to be another modular addition rather than a definitive evolution, suggesting that TAG-140 will continue to rotate RATs across campaigns to obscure signatures and maintain operational flexibility.”
APT36 Campaigns Deliver Ares RAT and DISGOMOJI
State
Source Link
