Overview
A new attack campaign of SideCopy APT has been discovered targeting the Indian Defence sector. The group utilizes phishing email attachments & URLs as the infection vector to download malicious archive files leading to the deployment of two different Action RAT payloads and a new .NET-based RAT. There are three infection chains with themes utilized: DRDO’s “Invitation Performa,” which is part of its Defence Procurement Procedure (DPP), a honeytrap lure, and also the Indian Military with “Selection of Officers for Foreign Assignments” theme.
The ongoing campaign came to light after a senior DRDO scientist was arrested for leaking sensitive information to Pakistani agents who honey trapped him. “Honey Trap” has increased significantly on social media platforms like Facebook, Twitter, WhatsApp, etc., with millions of illegitimate accounts used as bots or baits.
Similarly, in March 2023, the same infection chain was utilized targeting DRDO, with the decoy theme being “HVAC Air Conditioning Design Basis Report” for its K4 Missile Clean Room. Another theme used in the same month was “Advisory on Grant of Risk & Hardship Allowance JCOs & ORs.” Even in April, they targeted Defence Ministry with the theme “Saudi Arabia Delegation with Indian Armed Forces Medical Officials.”
SideCopy has been known for persistently targeting Indian Defence (Military and Armed Forces) since its discovery in 2019.
Key Findings
- Three infection chains lead to the same payloads hosted on the domain elfinindia[.]com.
- The infection chain is shown below, where an archive file contains a malicious shortcut (LNK) file masqueraded as DOCX, PNG, and PDF, respectively. The LNK files trigger MSHTA to execute remote HTA files on this domain.
Fig. 1 – Infection Process
- The deployment of two variants of Action RAT and a new .NET-based RAT that supports 18 C2 commands has been observed.
- Action RAT downloads and executes a larger variant that exfiltrates all documents and images inside the Desktop, Documents, and Download directories. The legitimate ‘credwiz.exe’ file is utilized to sideload both the RATs.
- C2 infra has a known hostname commonly found, and all the TTPs directly point to SideCopy’s known infection throughout the years.
Summary
This year, SideCopy has been actively targeting India, especially the defence sector. The same attack chain targets victims in spear-phishing campaigns and honeytrap lures. As Pakistani agents have increasingly used honey traps to lure defence personnel, one can only anticipate the magnitude of damage it can cause. Hence, it is imperative to take the necessary steps to end it. Pakistan and many other threat actors around the globe are using honeytraps, with recent cases found stealing intelligence in this form of cyber espionage. An in-depth analysis of the latest infection chain and a comparison with previous variants can be found in our whitepaper.
IOC
Archive | |
05eb7152bc79936bea431a4d8c97fb7b | Personal.zip |
4c926c0081f7d2bf6fc718e1969b05be | Performa’s feedback.zip |
db49c75c40951617c4025678eb0abe90 | Asigma dated 22 May 23.zip |
LNK | |
1afc64e248b3e6e675fa31d516f0ee63 | pessonal pic.png.lnk |
49f3f2e28b9e284b4898fafa452322c0 | Performa’s feedback.docx.lnk |
becbf20da475d21e2eba3b1fe48148eb | Asigma dated 22 May 23 .pdf.lnk |
HTA | |
FCD0CD0E8F9E837CE40846457815CFC9 | xml.hta |
BEC31F7EDC2032CF1B25EB19AAE23032 | d.hta (Chain-1) |
C808F7C2C8B88C92ABF095F10AFAE803 | d.hta (Chain-2) |
4559EF3F2D05AA31F017C02ABBE46FCB | d.hta (Chain-3) |
F20267EC56D865008BA073DB494DB05E | Auto_tcp.hta |
4F8D22C965DFB1A6A19B8DB202A24717 | Auto_tcp.hta |
DLL | |
86D4046E17D7191F7198D506F06B7854 | preBotHta.dll (Stage-1) |
28B35C143CF63CA2939FB62229D31D71 | preBotHta.dll (Stage-2) (New RAT) |
582C0913E00C0D95B5541F4F79F6EDD5 | preBotHta.dll (Stage-3) |
8f670928bc503b6db60fb8f12e22916e | DUser.dll (Action RAT) |
13D4E8754FEF340CF3CF4F5A68AC9CDD | DUser.dll (Action RAT) |
5D5B1AFF4CBE03602DF102DF8262F565 | DUser.dll (Action RAT) |
BAT | |
D95A685F12B39484D64C58EB9867E751 | test.bat |
BDA677D18E98D141BAB6C7BABD5ABD2B | test.bat |
Others | |
5580052F2109E9A56A77A83587D7D6E2 | d.txt |
E5D3F3D0F26A9596DA76D7F2463E611B | h.txt |
Domain | |
elfinindia[.]com | Hosted Malicious files |
IP | |
144.126.143[.]138:8080
144.126.143[.]138:9813 66.219.22[.]252:9467 209.126.7[.]8:9467 |
C2 |
URL | |
hxxps://elfinindia[.]com/wp-includes/files/ | |
hxxps://elfinindia[.]com/wp-includes/files/pictures/personal/Personal.zip | |
hxxps://elfinindia[.]com/wp-includes/files/pictures/man/d.hta | |
hxxps://elfinindia[.]com/wp-includes/files/man/d.hta | |
hxxps://elfinindia[.]com/wp-includes/files/fa/d.hta | |
hxxps://elfinindia[.]com/wp-includes/files/oth/hl/h.txt | |
hxxps://elfinindia[.]com/wp-includes/files/oth/dl/d.txt | |
hxxps://elfinindia[.]com/wp-includes/files/oth/av/ | |
PDB | |
E:PackersCyberLinkLatest SourceMultithread Protocol Architectureside projectsFirst StageHTTP Arsenal MainClinetappReleaseapp.pdb | |
EXE (Legitimate) | |
9B726550E4C82BBEB045150E75FEE720 | cdrzip.exe / cridviz.exe |
Decoy Files | |
C5C2D8EB9F359E33C4F487F0D938C90C | Invitation Performa vis a vis feedback.docx |
2461F858671CBFFDF9088FA7E955F400 | myPic.jpeg |
D77C15419409B315AC4E1CFAF9A02C87 | 2696 – 22 May 23.pdf |
The post Double Action, Triple Infection, and a New RAT: SideCopy’s Persistent Targeting of Indian Defence appeared first on Blogs on Information Technology, Network & Cybersecurity | Seqrite.