Heimdal
article featured image

Contents:

A ReverseRat backdoor attack has been recently reported. A supposedly Pakistan-linked hacker targeted government institutions and power companies from South and Central Asia. India was the most affected country, followed by Afghanistan. The threat actor basically used the compromised Windows systems of the companies to perform remote access trojan cyberattacks.

What Causes a ReverseRat Backdoor Attack?

RAT or Remote Access Trojan can be described as a type of backdoor, a malware program that can gain access to victims’ credentials. Threat actors make use of these accesses to exfiltrate confidential data and send them to their malicious servers. The system can be fully remotely controlled by cybercriminals, allowing them to infect it with malware that can reach other users too and compromise systems.

How Was It Deployed?

Lumen’s Black Lotus Labs wrote a report on Tuesday on the latest Asian cyberattack analysis revealing that a RAT called ReverseRat affected South and Central Asian enterprises, where Indian government and energy organizations were mostly targeted, followed by Afghanistan ones. They explained in a few steps how this malware was deployed and the phases it went through. The ReverseRat backdoor attack is attributed to a hacker apparently from Pakistan.

Phase 1

Victims received targeted URLs that led them to malware-infected websites. A .zip file that contained a PDF file and a Microsoft shortcut file (.Ink) was comprised into a .zip archive that downloaded when accessing the link. The PDF worked as a distraction, while the shortcut executed and retrieved an HTA file from the same compromised websites. The link could have been sent via phishing e-mails to users.

Phase 2

A preBotHta.pdb .Net program was launched by injecting a 32-bit shellcode into a running process. This happened with the help of the HTA file which basically contained a JavaScript code from the CactusTorch project. What is interesting here is that it operated in 2 ways: the ReverseRat could be inserted in the memory directly or, if it detected an antivirus when entering the system, it would hide in a different place like MyMusic to remain undetected.

Phase 3

In the last phase of the process, the hackers made use of a second HTA file that could modify a registry key through an encoded command. Access to the network was thus maintained by displaying the AllaKore remote Agent.

What Companies Were Targeted?

The cybercriminal targeted power transmission enterprises, government institutions, and power generation and transmission companies, mostly from India.

What Data Can Be Accessed by a Hacker Through Such an Attack?

The hacker performed such type of cyber attack to obtain confidential information and store them on his servers or install malware on the companies’ systems. He got:

  • The IP address of the computer
  • The Computer name
  • The MAC address
  • Processor information: manufacturer, name, data width, or max clock speed.
  • Physical memory

Through the above-mentioned obtained data, the threat actor could send the information to a remote server, end processes, do screenshots, and execute file operations, as TheHackerNews explains.

How can be users so easily fooled? Well, they do not know that they will access a malware-infected website because they get PDF documents that refer to COVID-19 vaccines or energy sector-related papers, so something from their interest area. Also, the hacker used compromised domains from the same targeted country, a tactic that helped him to remain anonymous.

Black Lotus Labs announced that they took the necessary measures against the ReverseRat backdoor attack which started in January 2021:

In order to combat this particular campaign, Black Lotus Labs null-routed the actor infrastructure across the Lumen global IP network and notified the affected organizations.

Source

 

Author Profile

Andra Andrioaie

Security Enthusiast

linkedin icon

Hi! My name is Andra and I am a passionate writer interested in a variety of topics. I am curious about the cybersecurity world and what I want to achieve through what I write is to keep you curious too!

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE