Researchers from Securonix christened This phishing campaign of the steppy#kavach, attributing it to the hacker grouping Sidecopy , since such tactics and methods were used only by these cybercriminals during previous attacks.
Sidecopy is presumably a Pakistani hacker group operating since 2019. It is known that she sometimes tries to give out her attacks for attacks Sidewinder.
The last scenario described by Securonix, involves the use of phishing letters so that the potential victim opens the LNK file to perform a payload in HTA format using the mshta.exe utility. According to experts, the HTML application was found on a hacking site invested in the Gallery catalog, which is designed to store images on the site.
Haughty site – Incometaxdelhi [.] Org, official website of the Department of Use Tax Delhi.
At the next stage, the launch of the HTA file leads to the implementation of a focused JavaScript code, which creates a trick-an image containing an announcement of the Indian Ministry of Defense, made a year ago, in December 2021. Then the JS code loads the executable file from a remote server, is fixed in the system using changes in the Windows registry and restarts the computer to automatically run the binary file after launch.
This file operates as a backdor and allows the hacker to execute commands from the domain controlled by attackers, receive and launch additional useful loads, make screenshots and abduct files.
In addition, Backdor gives the attacker the possibility of searching for database files (kavach.db) created by the Kavach application in the system for storing accounting data.