FortiGuard Labs discovered a file that was meant to deploy malware with characteristics matching the SideCopy APT group. This group has been targeting South Asian countries, including Indian and Afghani government personnel, since at least 2019. The file referenced an Indian state military research organization and an in-development nuclear missile. The group has aligned its targeting with the goals and objectives of the Pakistani government.
Diving into details
The initial infection vector is suspected to be a phishing email with a Zip file titled "DRDO-K4-Missile-Clean-room[.]zip" that contains three files, with two of them meant to be deployed in a subdirectory of the extraction location.
SideCopy's use of DRDO-related decoys for malware distribution was flagged by cybersecurity firms in March and April. The attack chains have been observed to load and execute both Action RAT and AllaKore RAT.
C2 servers linked to Action RAT have been connected to 18 potential victims in India, while C2 servers linked to AllaKore RAT have been connected to 236 unique potential victims also located in India.’
Fortinet's latest report shows a similar infection sequence leading to the deployment of an unspecified RAT that communicates with a remote server and launches additional payloads. This confirms that SideCopy still uses spear-phishing emails with the Indian government and defense forces-related social engineering lures to distribute a variety of malware.
Tools used in the latest campaign
Instead of using CACTUSTORCH to deploy code obfuscated via JavaScript and VBScript, SideCopy's latest campaign appears to have utilized SILENTTRINITY, a more recent and comprehensive tool that functions as a full-featured post-exploitation framework similar to Empire or Cobalt Strike.
Unlike CACTUSTORCH, it allows the execution of Microsoft .Net code directly without requiring PowerShell as an intermediate step. While the payload was generated using the tool, it is unclear if the backend responsible for serving the file or its subsequent stages utilized it.
Diving into details
The recent discoveries provide evidence of SideCopy's association with Pakistan and emphasize its effective targeting of Indian users. The infrastructure for Action RAT linked to SideCopy is managed by individuals accessing the internet from Pakistan. Victim activity was observed to have taken place several months prior to the public disclosure of the campaign.