
Image: Seqrite Labs
The cyber threat landscape is in constant flux, with threat actors continuously refining their techniques to breach defenses and achieve their malicious objectives. A recent report by Seqrite Labs’ APT team sheds light on the evolving tactics of the Pakistan-linked SideCopy APT group, revealing a significant expansion in their targeting and a shift in their attack methodologies.
According to the report, SideCopy has broadened its scope beyond traditional targets like the Indian government, defense, and maritime sectors. The group is now actively targeting entities within the railway, oil & gas, and external affairs ministries, demonstrating a clear intent to infiltrate critical national infrastructure.
One of the most notable changes in SideCopy’s recent campaigns is the move away from HTML Application (HTA) files. The report highlights the group’s transition to using Microsoft Installer (MSI) packages as the primary mechanism for staging their attacks. “Threat actors are continuously evolving their tactics to evade detection, and this shift is driven by their persistent use of DLL side-loading and multi-platform intrusions,” the report emphasizes.
The evolution of SideCopy’s tactics doesn’t stop at changing file formats. The group is also incorporating more sophisticated techniques to compromise systems. These include:
- Reflective loading: A technique used to load malicious code directly into a process’s memory, making it harder to detect.
- Repurposing open-source tools: SideCopy is known to modify and deploy open-source tools like Xeno RAT and Spark RAT to enhance their capabilities.
- New RAT Deployment: The discovery of a new remote access trojan (RAT) called CurlBack RAT, which registers the compromised victim with a command-and-control (C2) server, further illustrates the group’s ongoing development of custom malware.
The report also uncovers the group’s use of deceptive tactics to trick victims into falling for their schemes:
- Impersonation: Attackers are using email IDs with usernames that impersonate government personnel, often with a cybersecurity background, leveraging compromised accounts to add credibility to their phishing attempts.
- Fake Domains: The creation of fake domains that mimic legitimate e-governance services, complete with open directories to host payloads and credential phishing login pages, is a key component of their strategy.
- Compromised Official Domains: In a particularly concerning revelation, the report states that “the official domain of the National Hydrology Project (NHP), under the Ministry of Water Resources, has been compromised to deliver malicious payloads.”
Seqrite Labs’ investigation has also brought to light the group’s focus on credential phishing, with the identification of “thirteen sub-domains and URLs host login pages for various RTS Services for multiple City Municipal Corporations (CMCs), all in the state of Maharashtra.”
The report indicates that SideCopy’s activities are not limited to Windows systems. The group is also actively targeting Linux platforms, employing modified variants of open-source tools like SparkRAT. This multi-platform approach increases the potential impact of their campaigns and highlights their adaptability.
The SideCopy APT group’s shift to MSI packages, use of advanced techniques, and targeting of critical Indian sectors pose a significant cybersecurity challenge. Organizations and individuals must remain vigilant and implement robust security measures to defend against these sophisticated attacks.