Monday, October 19, 17:20
Home security A spy campaign targets the Indian army!

A spy campaign targets the Indian army!

Security investigators have uncovered evidence of an ongoing espionage campaign targeting India's military (defense and armed forces), at least since 2019. The campaign aims to the theft of sensitive and confidential information.

The attacks on this spy campaign, which the Indian cyber security company "Quick Heal" called "Operation SideCopy", have been assigned to an APT hacking group, which managed to remain in obscurity by "copying" the tactics of other gangs, such as the SideWinder.

The espionage campaign targeting the Indian army begins with a mission e-mail, which contains a malicious attachment - either a ZIP file containing an LNK file or a document Word - which activates an infection chain, through a series of steps, to obtain the final stage payload.

Espionage campaign targeting the Indian Army

In addition to locating three different contamination chains, it is worth noting that it was exploited template injection and the vulnerability of Microsoft Equation Editor (CVE-2017-11882), a 20-year-old memory issue in Microsoft Office, which, in cases where hackers successfully exploited it, were able to remotely execute code on a vulnerable device, even without user interaction. Microsoft addressed the issue with a patch that was released in November 2017.

In such campaigns, the attack is usually based on social engineering, aimed at motivating a user to open a seemingly realistic Word document, supposedly related to the Indian government's defense policy.

In addition, LNK files have a dual extension (“Defense-Production-Policy-2020.docx.lnk”) and come with document icons, which motivate an unsuspecting victim to open the file. Once the user opens the file, the LNK files maliciously run archives HTA (abbreviation for Microsoft HTML applications) hosted on "fraudulent" sites, with HTA files created using an open source payload creation tool called CACTUSTORCH.

Espionage campaign targeting the Indian Army

The first stage HTA file includes a decoy document and a malicious module . NET that document runs and downloads a second-stage HTA file, which in turn checks for the presence of popular antivirus solutions before copying the backup and restore utility. credentials of Microsoft (“Credwiz.exe”) in a different folder on the victim device and modify the registry to run the copy executable each time it starts.

Therefore, when this file is running, it is not just loading a malicious file DUser.dll, but the RAT module also starts Winms.exe - both are obtained from the second stage HTA. This DUser.dll will initiate the connection via the IP address '' through the door TCP 6102. Once successfully connected, it will perform various functions based on the command received from the command-and-control server (C2). For example, if C2 sends 0, then it collects computer name, username, OS version etc., and sends them to C2.

Noting that RAT has code-like similarities to Allakore Remote, an open-source software remote access, Quick Heal reported that trojan used Allakore's RFB (Remote Frame Buffer) protocol to eliminate data from the infected system.

espionage campaign targeting Indian army

In addition, some attack chains are said to "drop" a (previously invisible) .NET-based RAT, which Kaspersky researchers named Crimson RAT, which has various features, such as access to files, while it can even execute commands arbitrarily.

According to The Hacker News, although the way the DLL filename works has similarities to the SideWinder team, APT's heavy reliance on open source tools and a completely different C2 infrastructure led the researchers to conclude that the malicious factor is of Pakistani origin and specifically the group Transparent Tribe, which has recently been associated with many attacks aimed at personnel staffing the Government and Army of India. Thus, Quick Heal estimates that the threat factor behind this campaign is part of the APT team Transparent Tribe and merely copies other hacking techniques to mislead security professionals.


Please enter your comment!
Please enter your name here

Every accomplishment starts with the decision to try.


How to turn off all vibrations on your iPhone completely

Some people are particularly sensitive to the vibrations of their iPhone, either for personal or medical reasons. Thanks to...

How to convert Keynote presentations to Microsoft PowerPoint

Apple presentation software does all the hard work when converting a PowerPoint presentation to Keynote. Doing the opposite, ...

QAnon Conspiracy Theories: YouTube removes them from the platform

YouTube is the latest social networking site to launch a campaign against the spread of QAnon conspiracy theories.

Vizom: New malware hijacks bank accounts

Vizom disguises itself as a popular "videoconferencing software", with meetings all online due to the pandemic. Investigators...

The Windows 10 Calculator has been ported to Linux

The Windows 10 Calculator has been ported to Linux and can be installed from the Canonical Snap Store. The ...

System breach exposes Kleenheat customer data

Australian-based gas company Kleenheat has warned some of its customers of data breaches, which may ...

US Election: Candidates manipulate voters via email!

The politicians who are candidates for the upcoming US elections use psychological tricks and "dark" patterns in their emails to ...

Google Chrome and Edge create random debug.log logs

An error in the latest version of Chrome and other Chromium-based browsers causes random debug.log files to be created ...

TikTok: Announced bug bounty program to detect vulnerabilities

The company behind the popular video sharing application TikTok announced last week that it has launched a public bug bounty program, ...

Windows 10: Unlock God Mode and see all Settings

Windows 10 comes with the Control Panel and Settings, but the modern application of Settings has a peculiarity, the basic ...