· The
Advanced Persistent Threat (APT) with potential links to Pakistan has been
active since early 2019
· The
threat actors have been misleading the security community by coping TTPs that
point at Sidewinder APT group
· Seqrite
is the first vendor to expose the real identity of threat actors behind
‘Operation SideCopy’
· Common
infection vectors used in the attacks include LNK file, template injection, and
equation editor vulnerability
Seqrite, the cybersecurity products and solutions brand of Quick Heal
Technologies has uncovered a new Advanced Persistent Threat (APT) targeting
India’s Defence Forces. Dubbed as ‘Operation Sidecopy’, threat actors behind
this campaign were found misleading the security community by copying Tactics,
Techniques, and Procedures (TTPs) that point at the Sidewinder APT group.
However, researchers at Seqrite have discovered strong evidence of ‘Operation
Sidecopy’, having potential links with Pakistan backed – Transparent Tribe
group. This is a breakthrough discovery making Seqrite the first cybersecurity
brand to expose the real identity of these threat actors.
Post revelation, Seqrite alerted
the Government authorities to take precautionary measures. Researchers at
Seqrite suspect that China could be leveraging Pakistan-based APT groups to
barge in and gather intelligence from India that can benefit them in the
on-going India-China conflicts. They further warned that these attacks can put
intelligence agencies at risk of losing sensitive information which can be
leveraged by both the neighbouring countries. This may happen directly via data
exfiltration or indirectly via compromising an individual and compelling them
to share confidential data.
Active since early 2019,
‘Operation Sidecopy’ has been using infecting vectors like LNK file, template
injection, and equation editor vulnerability to target Indian defence forces.
For Command & Control, it has been using Contabo GmbH, the most common
hosting providers favoured by Transparent Tribe. According to Seqrite
researchers, the malicious actors have been continuously developing malware
modules and deploying the updated versions after analyzing the victim’s data
and environment. Interestingly, these attackers were even keeping track of
malware detected by a system’s AV and hence updating them immediately so that
there is no trace left for further investigation.
Uncovering the attack
A couple of months ago, Seqrite’s
next-generation behavioural detection technology alerted on a few processes
running executable HTML files from non-reputed websites. In addition, the
researchers noticed that offending processes had interesting names such as
“Defence Production Policy 2020.docx.lnk”. When combined, these factors served
as the trigger for advance investigation. Upon probing further, Seqrite
researchers found that these attacks were targeted at Indian defence units and
armed forces’ individuals.
The attack started with the victim
receiving LNK files in the form of compressed ZIP/RAR via phishing emails.
Since these files appeared to have realistic names and icons as if they are
directly coming from the Government of India, the victims are likely to
consider them authentic and get tricked into opening them.
Once opened, the malware runs in the system’s memory, and gradually downloads / installs other components, eventually stealing user data and uploading it to attacker-controlled servers. This attack made use of DLL-Sideloading technique (aka Black-White technique). A Microsoft signed a legitimate system process (credwiz.exe) was used to run malware via sideloading technique. After infiltrating the victim’s machine, the malware immediately restarts the victim’s device, to clear initial infection traces.
Seqrite threat intelligence team continually works towards the detection and prevention of attacks executed by multiple APT actors. It urges individuals and organizations to adhere to necessary cybersecurity protocols and use robust security solutions in addition to staying aware of the latest threats.
India, September 24, 2020