Security investigators have uncovered evidence of an ongoing espionage campaign targeting India's military (defense and armed forces), at least since 2019. The campaign aims to the theft of sensitive and confidential information.
The attacks on this spy campaign, which the Indian cyber security company "Quick Heal" called "Operation SideCopy", have been assigned to an APT hacking group, which managed to remain in obscurity by "copying" the tactics of other gangs, such as the SideWinder.
The espionage campaign targeting the Indian army begins with a mission e-mail, which contains a malicious attachment - either a ZIP file containing an LNK file or a document Word - which activates an infection chain, through a series of steps, to obtain the final stage payload.
In addition to locating three different contamination chains, it is worth noting that it was exploited template injection and the vulnerability of Microsoft Equation Editor (CVE-2017-11882), a 20-year-old memory issue in Microsoft Office, which, in cases where hackers successfully exploited it, were able to remotely execute code on a vulnerable device, even without user interaction. Microsoft addressed the issue with a patch that was released in November 2017.
In such campaigns, the attack is usually based on social engineering, aimed at motivating a user to open a seemingly realistic Word document, supposedly related to the Indian government's defense policy.
In addition, LNK files have a dual extension (“Defense-Production-Policy-2020.docx.lnk”) and come with document icons, which motivate an unsuspecting victim to open the file. Once the user opens the file, the LNK files maliciously run archives HTA (abbreviation for Microsoft HTML applications) hosted on "fraudulent" sites, with HTA files created using an open source payload creation tool called CACTUSTORCH.
The first stage HTA file includes a decoy document and a malicious module . NET that document runs and downloads a second-stage HTA file, which in turn checks for the presence of popular antivirus solutions before copying the backup and restore utility. credentials of Microsoft (“Credwiz.exe”) in a different folder on the victim device and modify the registry to run the copy executable each time it starts.
Therefore, when this file is running, it is not just loading a malicious file DUser.dll, but the RAT module also starts Winms.exe - both are obtained from the second stage HTA. This DUser.dll will initiate the connection via the IP address '220.127.116.11' through the door TCP 6102. Once successfully connected, it will perform various functions based on the command received from the command-and-control server (C2). For example, if C2 sends 0, then it collects computer name, username, OS version etc., and sends them to C2.
Noting that RAT has code-like similarities to Allakore Remote, an open-source software remote access, Quick Heal reported that trojan used Allakore's RFB (Remote Frame Buffer) protocol to eliminate data from the infected system.
In addition, some attack chains are said to "drop" a (previously invisible) .NET-based RAT, which Kaspersky researchers named Crimson RAT, which has various features, such as access to files, while it can even execute commands arbitrarily.
According to The Hacker News, although the way the DLL filename works has similarities to the SideWinder team, APT's heavy reliance on open source tools and a completely different C2 infrastructure led the researchers to conclude that the malicious factor is of Pakistani origin and specifically the group Transparent Tribe, which has recently been associated with many attacks aimed at personnel staffing the Government and Army of India. Thus, Quick Heal estimates that the threat factor behind this campaign is part of the APT team Transparent Tribe and merely copies other hacking techniques to mislead security professionals.