Thursday, January 21, 22:11
Home security A spy campaign targets the Indian army!

A spy campaign targets the Indian army!

Security investigators have uncovered evidence of an ongoing espionage campaign targeting India's military (defense and armed forces), at least since 2019. The campaign aims to the theft of sensitive and confidential information.

The attacks on the spy campaign, which the Indian cybersecurity company "Quick Heal" called "Operation SideCopy", have been assigned to an APT hacking group, which managed to remain in obscurity by "copying" the tactics of other gangs, such as the SideWinder.

The espionage campaign targeting the Indian army begins with a mission e-mail, which contains a malicious attachment - either a ZIP file containing an LNK file or a document Word - which activates an infection chain, through a series of steps, to obtain the final stage payload.

Espionage campaign targeting the Indian Army

In addition to locating three different contamination chains, it is worth noting that it was exploited template injection and the vulnerability of Microsoft Equation Editor (CVE-2017-11882), a 20-year-old memory issue in Microsoft Office, which, in cases where hackers successfully exploited it, were able to remotely execute code on a vulnerable device, even without user interaction. Microsoft addressed the issue with a patch that was released in November 2017.

In such campaigns, the attack is usually based on social engineering, aimed at motivating a user to open a seemingly realistic Word document, supposedly related to the Indian government's defense policy.

In addition, LNK files have a dual extension (“Defense-Production-Policy-2020.docx.lnk”) and come with document icons, which motivate an unsuspecting victim to open the file. Once the user opens the file, the LNK files maliciously run archives HTA (abbreviation for Microsoft HTML applications) hosted on "fraudulent" sites, with HTA files created using an open source payload creation tool called CACTUSTORCH.

Espionage campaign targeting the Indian Army

The first stage HTA file includes a decoy document and a malicious module . NET that document runs and downloads a second-stage HTA file, which in turn checks for the presence of popular antivirus solutions before copying the backup and restore utility. credentials of Microsoft (“Credwiz.exe”) in a different folder on the victim device and modify the registry to run the copy executable each time it starts.

Therefore, when this file is running, it is not just loading a malicious file DUser.dll, but the RAT module also starts Winms.exe Both are obtained from the second stage HTA. This DUser.dll will initiate the connection via the IP address '' through the door TCP 6102. Once successfully connected, it will perform various functions based on the command received from the command-and-control server (C2). For example, if C2 sends 0, then it collects computer name, username, OS version etc., and sends them to C2.

Noting that RAT has code-like similarities to Allakore Remote, an open-source software remote access, Quick Heal reported that trojan used Allakore's RFB (Remote Frame Buffer) protocol to eliminate data from the infected system.

espionage campaign targeting Indian army

In addition, some attack chains are said to "drop" a (previously invisible) .NET-based RAT, which Kaspersky researchers named Crimson RAT, which has various features, such as access to files, while it can even execute commands arbitrarily.

According to The Hacker News, although the way the DLL filename works has similarities to the SideWinder team, APT's heavy reliance on open source tools and a completely different C2 infrastructure led the researchers to conclude that the malicious factor is of Pakistani origin and specifically the group Transparent Tribe, which has recently been associated with many attacks aimed at personnel staffing the Government and Army of India. Thus, Quick Heal estimates that the threat factor behind this campaign is part of the APT team Transparent Tribe and merely copies other hacking techniques to mislead security professionals.


Please enter your comment!
Please enter your name here

Every accomplishment starts with the decision to try.


Mac: How to see which model you have and when it was released

When you need support for your Mac - or want to install some kind of upgrade - you usually need to know the exact ...

Bill Gates: Will he work with Biden on COVID-19 / climate change?

Microsoft co-founder Bill Gates said on Twitter that he is looking forward to working with the new US President, Joe Biden, and ...

What are the rumors circulating about the iPhone 13?

Apple iPhone 13 will have a redesigned Face ID system that will have a smaller notch at the top of the screen, ...

Biden: How was the political transition in the US captured on social media?

As Joe Biden was sworn in as President of the United States, this important political transition was captured on popular social media. On January 20, ...

CentOS ceases to be supported but RHEL is offered for free

Last month, Red Hat caused a great deal of concern in the Linux world when it announced the discontinuation of CentOS Linux.

Microsoft Office 365 employee passwords leaked online!

A new large-scale phishing campaign targeting global organizations has been found to bypass Microsoft Office 365 Advanced Threat Protection (ATP) and ...

COSMOTE and Microsoft provide new cloud solutions for businesses

COSMOTE and Microsoft expand their cooperation, offering even more advanced and high quality cloud solutions, in large and small ...

Cyber ​​attacks in Eastern Europe are on the rise!

The cyber-attacks that have taken place in many US government agencies and companies in recent months have caused concern in the developing countries of ...

Tesla reduces the prices of the Model 3 in Europe

Tesla has reduced the prices of the Model 3 in many European markets, which reductions could be partly linked ...

iOS, Android, XBox users in the crosshairs of a new malvertising campaign

Recently a new malvertising campaign was discovered that targets users of mobile and other connected devices and uses effective ...