Several threat actor groups have targeted public and private organizations in India lately, affecting critical infrastructures in the country. Recently, security experts from Malwarebytes revealed that a Pakistani APT group SideCopy has been targeting ministries in India and Afghanistan to pilfer Google, Twitter, and Facebook credentials and obtain access to confidential government networks, banking details, and password-protected documents.
SideCopy APT in Brief
Active since 2019, the SideCopy APT group has been targeting South Asian countries, particularly India and Afghanistan. Researchers stated the group is leveraging new initial infection vectors such as Microsoft Publisher documents and Trojanized applications to trick the users via spear-phishing campaigns. It was also observed that attackers used a new data stealer tracked as AuTo stealer.
AuTo stealer is written in C++ language and is used by attackers to deploy and load an executable (credbiz.exe) that side loads the stealer. The researchers found two variants of AuTo stealer – the HTTP version and the TCP version.
Also Read: CDSL Data Breach Exposes Sensitive Details of 44 Mn Indian Investors
Specific Targets
The lures used by SideCopy APT are usually archived files embedded with files like – Lnk, Microsoft Publisher, or Trojanized Applications, which are specially crafted and designed to target government or military officials.
So far, the SideCopy APT targeted:
- Administration Office of the President (AOP) of Afghanistan personnel: The attackers have performed spear phishing attacks on members of AOP and were able to gain access to ten of them and steal their credentials from different government services such as mis.aop.gov.af, internal service, bank services (Maiwand Bank) and personal accounts such as Google, Twitter, and Facebook.
- Ministry of Foreign affairs, Afghanistan: The actors infected one of the members of the Ministry of External affairs, but it seems they were not able to collect any data from this victim.
- Ministry of Finance, Afghanistan: The actor infected two members of MOF, but mostly they were able to collect personal accounts such as Google and Facebook and Bank accounts (worldbankgroup.csod.com). They also exfiltrated documents that are password protected.
- Afghanistan’s National Procurement Authority (NPA): The actor infected one person in NPA and was able to steal personal credentials, including Twitter, Facebook, Instagram, Pinterest, Google, and the mis.aop.gov.af account.
- A shared computer, India: The attackers obtained access to a shared machine and collected a lot of credentials from government and education services. It seems this machine has been infected using one of the generic lures.
“The SideCopy APT was able to steal several Office documents and databases associated with the Government of Afghanistan. As an example, the threat actor exfiltrated Diplomatic Visa and Diplomatic ID cards from the Ministry of Foreign Affairs of Afghanistan database and the Asset Registration and Verification Authority database belonging to the General Director of Administrative Affairs Government of Afghanistan. They also were able to exfiltrate the ID cards of several Afghani government officials,” the researchers said.
Operation SideCopy
In September 2020, cybersecurity solutions provider Quick Heal revealed evidence related to SideCopy’s cyberespionage campaign. Tracked as “Operation SideCopy,” the campaign targeted Indian Army personnel in 2019 to pilfer sensitive information. Researchers observed three infection chain processes in which attackers exploited equation editor vulnerability (CVE-2017-11882) as the initial infection vector. Read More Here…