Lumen Black Lotus Labs issues important report on
suspected Pakistani threat actor targeting victims in South and Central Asia
Actor's
capabilities appear to be growing with execution of new, custom-developed
framework
Black Lotus Labs, the threat
intelligence arm of Lumen Technologies, released
a detailed report about
a suspected Pakistani threat actor that executed a custom-developed framework
to compromise multiple targets in South Asia, including a power company in
India.
In the report, Black Lotus Labs
details how it detected a new remote access trojan (RAT) it's calling
ReverseRat – which was deployed in parallel with an open-source RAT called
Allakore – to infect machines and achieve persistence. Based on the team's
global telemetry and analysis, it determined that the actor is targeting
government and energy organizations in the South and Central Asia regions, and
it has operational infrastructure hosted in Pakistan.
Threat Assessment
- The ReverseRat infection chain is noteworthy because of
the steps it takes to avoid detection and the critical nature of the
targeted entities.
- While this threat actor's targets have thus far
remained within the South and Central Asian regions, they have proven
effective at gaining access to networks of interest.
- Black Lotus Labs assesses that as this actor continues
to develop its capabilities and refine its multi-step infection processes,
it could pose a real threat to organizations in and beyond these regions.
Black Lotus Labs Response
- To combat this campaign, Black Lotus Labs null-routed
the actor's infrastructure across the Lumen global IP network and notified
the affected organizations.
- Black Lotus Labs continues to follow this threat group
to detect and disrupt similar compromises, and it encourages other
organizations to monitor for and address this and similar campaigns in
their environments.
- Black Lotus Labs is committed to tracking adversary
groups such as this and documenting their tradecraft to proactively help
defenders.
Recommendations
Given the nature of the critical
sectors the actor is targeting and the low rate of detection, Black Lotus Labs
advises security practitioners to learn the actor's current tactics, tools and
procedures (TTPs) to better defend their organizations against potential
attacks.
Source: Lumen Technologies media announcement