Pakistani APT Hacker Group SideCopy Unknown Details Revealed by Researchers

The SideCopy hackers, a Pakistani APT group, have recently targeted several Indian and Afghan government officials, especially the officials from the military, through social engineering.

The cybersecurity researchers at Malwarebytes have affirmed that the hackers have compromised the sensitive data of ministries in Afghanistan and a shared government system in India to steal the following data from its targets and gain access to government portals:-

  • Google credentials
  • Twitter credentials
  • Facebook credentials
  • Banking information
  • Password-protected documents

Victims

Here we have mentioned the victims that are targeted by the SideCopy APT group:-

  • Administration Office of the President (AOP) of Afghanistan personnel
  • Ministry of Foreign affairs- Afghanistan
  • Ministry of Finance, Afghanistan
  • Afghanistan’s National Procurement Authority (NPA)
  • A shared computer, India

Infection chain

To monitor and control their victims, the primary command and control (C2) server used by the Pakistani APT group SideCopy has been fully uncovered by the experts.

EHA

And they have discovered that the threat actors send a unique package to the victims with malicious payloads that are hosted on the domains that are compromised.

Here, to monitor each package, the threat actors use the Scout system with nicknames like Hendrick, Alexander, Hookes, Malone to manage each package and all these names define the teams that are responsible to manage them.

All the infected machines get listed on the dashboard provided by the Scout system in which it shows each specific detail like:-

  • The IP address of the victim
  • Package name
  • OS version
  • User-Agent
  • Browser information
  • Country
  • Victim status

According to the Malwarebytes report “When the victim opens the lure document, the lure executes a loader to drop a next-stage RAT known as ActionRAT with the following capabilities:-

  • Uploading files
  • Executing commands received from a server
  • Download more payloads

Apart from this, it also drops an info stealer that is named AuTo Stealer, and before exfiltrating the information to its server over HTTP or TCP, this info stealer gathers the following data:-

  • Microsoft Office files
  • PDF documents
  • Text files
  • Database files
  • Images

The type of file used by the threat actors are:-

  • /streamppt
  • /streamdoc
  • /streamxls
  • /streamdb
  • /streamtxt
  • /streampdf
  • /streamimg

New lures

Here we have mentioned all the new lures that are observed by the experts of Malwarebytes:-

  • Report-to-NSA-Mohib-Meeting-with-FR-GE-UK.zip
  • address-list-ere-update-sep-2021.zip
  • NCERT-NCF-LTV-Vislzr-2022.zip
  • Using girl names as the archive file name such as nisha.zip
  • image-random number.zip
  • Whatsapp-image-random number.zip
  • schengen_visa_application_form_english.zip
  • Download-Maria-Gul-CV.zip
  • New document.zip

Hossein Jazi, one of the Malwarebytes researchers has stated:-

“The lures used by SideCopy APT are usually archived files that have embedded one of these files: LNK, Microsoft Publisher, or Trojanized Applications. And all these files are mainly tailored to target Indian and Afghan government and military officials.”

In South Asia, the SideCopy APT group has been actively targeting the military and government officials. So, to mitigate this threat, the experts have recommended users to use proper security solutions and stay active to monitor any suspicious activities.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

BALAJI is a Former Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.