Since early 2019, Operation SideCopy has remained active, exclusively targeting Indian defense forces and armed forces personnel. The malware modules associated with this Threat Actor are continually evolving, with updated versions released following reconnaissance of victim data. Threat Actors behind Operation SideCopy closely monitor malware detections and promptly update modules upon detection by antivirus software. Notably, nearly all command and control (C&C) infrastructure is attributed to Contabo GmbH, and network infrastructure has similarities with the Transparent Tribe advanced persistent threat (APT) group.
Figure 1 – Cyble Vision Threat Library
SideCopy originates from Pakistan and operates as an APT group.
SideCopy primarily directs its operations towards India, although it has also targeted Afghanistan and Bangladesh in some instances.
Figure 2 – Origin and Targeted Countries (Source: Cyble Vision)
N/A
SideCopy focuses its attacks exclusively on the defense sector.
SideCopy has garnered infamy for its targeting of Indian defense personnel and its proactive creation of malicious artifacts, including email lures and domains. The initial infection typically begins with phishing emails centered around defense-related news and affairs. These emails contain a zip file housing a Windows shortcut (.lnk) file disguised as PDF or DOC files. Upon opening these files, a first-stage HTA file is executed. This first-stage HTA file then proceeds to download and execute a second-stage HTA file while also downloading and opening a decoy document. The second-stage HTA file initiates the deployment and execution of a legitimate executable, which further sideloads a malicious DLL file dropped by the second-stage HTA. This malicious DLL file serves as a remote access trojan (RAT). The Cyble has detected and reported the SideCopy campaign previously, as shown in the figure below.
Figure 3 – SideCopy APT Lifecycle
From observed threat activities, it’s evident that SideCopy maintains constant vigilance over recent developments within defense-related sectors. Exploiting these updates as lures, SideCopy specifically targets defense personnel. Additionally, SideCopy employs compromised domains to host malicious files during the initial stages. This tactic makes the identification of malicious network infrastructure challenging.
The group employs phishing email attachments and URLs as the primary infection vectors to download malicious zip files. These emails are meticulously crafted, focusing on the latest defense-related news and affairs. Below are some known lures utilized by SideCopy for the initial infection:
Besides all these email campaigns we’ve outlined, SideCopy also uses honeytraps to lure victims in. These infections typically consist of malicious LNK files that display explicit photos of women.
The figure below shows one of the Decoy PDFs related to DRDO used by the SideCopy group.
Figure 4 – Decoy Document Used by SideCopy (Source: Cyble)
SideCopy has been detected exploiting the 2023 WinRAR security vulnerability CVE-2023-38831 as part of its attacks on Indian government entities. This vulnerability allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. This was exploited in the wild from April through October 2023. This tactic is used to distribute a range of RATs, including AllaKore RAT, Ares RAT, and DetaRat
SideCopy employs a diverse range of Remote Access Trojans (RATs) as its final payload. These RATs encompass ActionRAT, Allakore RAT, AresRAT, CetaRAT, DetaRAT, EpicenterRAT, Lilith RAT, MargulasRAT, njRAT, and ReverseRAT. Researchers can correlate ongoing campaigns by analyzing the IPs and domains associated with past attacks, facilitating the identification and tracking of the group’s activities.
Figure 5 – SideCopy Tools (Source: Cyble Vision)
Action RAT: Action RAT, a Delphi-written remote access tool, has been utilized by SideCopy since at least December 2021 to target government personnel in India and Afghanistan.
Allakore RAT: AllaKore is a basic Remote Access Tool developed in Delphi. It was initially identified in 2015 but is still in its early developmental phases. It utilizes the RFB protocol, which relies on frame buffers, enabling it to transmit only the altered portions of screen frames to the controller. This approach accelerates transport and facilitates control over visualization.
Ares RAT: Ares RAT, an open-source RAT based on Python, possesses capabilities such as executing shell commands, capturing screenshots, and downloading additional files, among other functionalities.
CetaRAT: The CetaRAT, a family of RATs based on C#, is designed to extract user data and transmit it to the CnC server. Upon execution, it initiates by retrieving details of the running antivirus product from the machine using the Getans() function and subsequently relays this information to the CnC server.
DetaRAT and MargulasRAT: The new trojans DetaRAT and MargulasRAT have special functions typically used for this kind of malware. They breach a victim’s systems by creating a link between their machines and a command-control (C2) server that enables them to steal data, tamper with the system processes, capture screenshots, etc.
EpicenterRAT: EpicenterRAT, often linked to the APT group Sidecar since 2018, boasts a range of functionalities. These include collecting system information, capturing screenshots, executing commands to shut down, reboot, or log off the system, and the ability to uninstall itself.
Lilith RAT: Lilith is an open-source, console-based RAT crafted in C++, renowned for its ultra-lightweight design. It offers a straightforward array of commands, granting near-total control over a targeted machine.
njRAT: njRAT, alternatively referred to as Bladabindi, is a remote access tool (RAT) developed in Visual Basic. It encompasses a user interface and functions as a trojan, granting the program holder control over the end-user’s computer. Initial discoveries of njRAT date back to June 2013, with certain variants traced as far back as November 2012.
ReverseRAT: ReverseRat is a .NET-based backdoor equipped with features such as screenshot capture, process termination, execution of arbitrary executables, file operations, and data uploading to a remote server. The threat actor has developed various versions of ReverseRat.
The threat actors employ compromised domains to download initial HTA files, with C&C communication conducted through hardcoded IPs embedded within the final payloads. SideCopy has frequently reused network infrastructure, where different domains used in various campaigns resolve to the same IP address. Additionally, substantial evidence suggests that a single IP address is utilized for C&C communications across multiple final payloads. Notably, SideCopy predominantly utilizes the Contabo GmbH ASN in its attacks.
This threat actor intentionally misleads the security community by adopting Tactics, Techniques, and Procedures (TTPs) reminiscent of the SideWinder and Rattlesnake APT groups. There are suspicions of links between this threat actor and Transparent Tribe, APT36 APT group.
SideCopy has been actively focusing on India, particularly its defense sector. The attack chain employed by SideCopy targets victims through spear-phishing campaigns and honeytrap lures. As Pakistani agents have increasingly utilized honey traps to entice defense personnel, the potential damage they can inflict is significant. Therefore, it is crucial to take decisive action to mitigate this threat. Pakistan, along with various other threat actors globally, has been utilizing honeytraps, with recent cases involving the theft of intelligence through this form of cyber espionage.
Following are our recommendations to avoid and detect SideCopy attacks:
User Awareness Training: Educate users about the risks of phishing emails and social engineering tactics used by SideCopy. Train them to recognize suspicious emails, attachments, and links.
Email Filtering: Implement robust email filtering solutions to detect and block phishing emails containing malicious attachments or links associated with SideCopy campaigns.
Patch Management: Regularly update software and firmware on network devices, including routers and IoT devices, to mitigate vulnerabilities exploited by SideCopy.
Network Segmentation: Segment your network to limit lateral movement in case of a successful SideCopy compromise. Implement firewalls and access controls to restrict unauthorized access.
Endpoint Protection: Deploy endpoint security solutions with advanced threat detection capabilities to detect and block SideCopy malware on endpoints.
Behavioral Analysis: Use security tools that employ behavioral analysis to detect and block suspicious activities associated with SideCopy, such as anomalous network traffic or file behavior.
Web Filtering: Implement web filtering solutions to block access to known malicious domains associated with SideCopy campaigns.
Threat Intelligence Sharing: Share threat intelligence with industry partners and relevant authorities to enhance collective defense against SideCopy and similar threat actors.
Incident Response Plan: Develop and regularly test an incident response plan to ensure a coordinated and effective response in case of a SideCopy attack.
Continuous Monitoring: Implement continuous monitoring of network traffic, system logs, and endpoint activities to detect and respond to SideCopy attacks in real time.
Figure 6 – MITRE ATT&CK (Source: Cyble Vision)
Spearphishing Attachment (T1193): SideCopy may use spearphishing emails with malicious attachments, such as ZIP files containing disguised link files or documents, to initiate their attacks.
Command and Control (T1043): SideCopy establishes communication with its command and control server using hardcoded IP addresses embedded within its payloads.
Exploit Public-Facing Application (T1190): SideCopy may exploit vulnerabilities in public-facing applications, such as the WinRAR security vulnerability, to gain initial access to target systems.
User Execution (T1204): SideCopy relies on user interaction to execute malicious attachments, such as opening ZIP files containing link files or documents disguised as PDF or DOC files.
Data Obfuscation (T1027): SideCopy may obfuscate its malicious payloads to evade detection by security tools and analysts.
Exfiltration Over Command and Control Channel (T1041): SideCopy may exfiltrate stolen data over its command and control channel to a remote server controlled by the threat actors.
Masquerading (T1036): SideCopy may masquerade its malicious payloads as legitimate files, such as PDF or DOC files, to deceive victims into executing them.