Action RAT

Malware Profile Updated 13 days ago
Download STIX
Preview STIX
Action RAT is a malicious software (malware) used by cyber threat actors to exploit and damage computer systems. This malware, written in Delphi and compiled on October 2, 2021, is part of an arsenal that includes other Remote Access Trojans (RATs) such as AllaKore RAT, Reverse RAT, and Margulas RAT. It infects systems through deceptive means such as suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Action RAT can steal personal information, disrupt operations, or hold data for ransom. The malware employs fileless payload execution via .hta files to deploy one of the associated RATs, such as AllaKore or Action Rat. Throughout the year, new attack campaigns involving Action RAT have been observed almost monthly, with evolving tactics, techniques, and procedures (TTPs). These include additional stages with Double Action RAT, a new .NET-based RAT, and uncovered instances of PowerShell remote execution. Infection typically begins with the execution of a .LNK file, which retrieves an HTML application from a remote server. This application presents a decoy while stealthily deploying the Action RAT backdoor. The malware then initiates a concatenation operation involving multiple HTML applications, ultimately resulting in the drop of an Action Rat variant whose files mimic essential Windows components. The use of Action RAT has been linked to SideCopy, an advanced persistent threat (APT) group known for targeting India and Afghanistan. This group has employed Action RAT in numerous attacks against India, using spear-phishing for initial entry and presenting research material as a decoy to plant the info-stealing malware. Detailed analysis of these campaigns and the payloads involved can be found in previous whitepapers and blog posts provided by our team.
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Rat
Phishing
Decoy
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SideCopyUnspecified
2
SideCopy is a Pakistani threat actor that has been operational since at least 2019, primarily targeting South Asian countries, specifically India and Afghanistan. The Advanced Persistent Threat (APT) group uses lures such as archive files embedded with Lnk, Microsoft Publisher or Trojanized Applicat
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Action RAT Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
BankInfoSecurity
a year ago
SideCopy APT Targets India's Premier Defense Research Agency
MITRE
a year ago
SideCopy APT: Connecting lures to victims, payloads to infrastructure
Flashpoint
a year ago
No title
CERT-EU
a year ago
Pakistan-Origin SideCopy Linked to New Cyberattack on India's Ministry of Defence
CERT-EU
6 months ago
SideCopy’s Multi-platform Onslaught: Leveraging WinRAR Zero-Day and Linux Variant of Ares RAT
BankInfoSecurity
a year ago
APT36 Running Espionage Ops Against India's Education Sector
CERT-EU
a year ago
安全事件周报 2023-05-08 第19周 - 360CERT
CERT-EU
a year ago
SideCopy маскируется под презентацию о ракете К-4 - Индийская оборона под угрозой