WinRAR exploit: SideCopy hacker group worries experts

Thanks to the work of SEQRITEa company engaged in the corporate security sector, it was possible to identify a new operation of the hacker group known as SideCopy. The campaign, it seems, exploits a WinRAR vulnerability which worries the experts quite a bit.

The collective, somehow connected to the Pakistani government, appears to exploit this security flaw to distribute several Trojans (such as AllaKore RAT, Ares RAT and DRat) mainly targeting Indian government entities.

SideCopy, active since at least 2019, is known for its attacks against the governments of India and Afghanistan. It is suspected that it is nothing more than a subgroup of Transparent Tribe (alias APT36).

Second Sathwik Ram PrakkiSEQRITE researcher “Both SideCopy and APT36 share infrastructure and code to aggressively target India“.

Since last May, SideCopy has been involved in a series of attacks phishing against India, exploiting ZIP archives to spread Action RAT and other malicious agents.

SideCopy and the WinRAR vulnerability: just the latest attack designed by the hacker group

The newly discovered campaign involves the exploitation of CVE-2023-38831a security flaw in the popular archiving software WinRAR.

This allows the execution of malicious code, leading to the download of AllaKore RAT and the aforementioned Ares RAT as well as two new ones trojan called DRat e Key RAT.

DRat can parse up to 13 commands from the C2 server to collect system data, download and execute additional payloads, and perform other file operations. Specifically, the malware appears to favor platforms Linux.

This type of behavior should not be surprising, given that the Indian government has decided to equip its computers with a Linux distro specifically designed for this context, called Maya OS.

As Prakki confirms “Expanding its arsenal with zero-day vulnerability, SideCopy consistently targets Indian defense organizations with various remote access Trojans“.

Although these cyber attacks involve two very distant countries, the modus operandi can easily be replicated in the West as well. For this reason, the advice is to protect your operating systems through antivirus up to the situation.


Please enter your comment!
Please enter your name here