SmartStateIndia
News

Seqrite uncovers APT ‘Operation SideCopy’ targeting India’s Defence Forces

Seqrite Operation SideCopy

Seqrite, the cybersecurity products and solutions brand of Quick Heal Technologies has uncovered a new Advanced Persistent Threat (APT) targeting India’s Defence Forces. Dubbed as ‘Operation Sidecopy’, threat actors behind this campaign were found misleading the security community by copying Tactics, Techniques, and Procedures (TTPs) that point at the Sidewinder APT group. However, researchers at Seqrite have discovered strong evidence of ‘Operation Sidecopy’, having potential links with Pakistan backed – Transparent Tribe group. This is a breakthrough discovery making Seqrite the first cybersecurity brand to expose the real identity of these threat actors.

Post revelation, Seqrite alerted the Government authorities to take precautionary measures. Researchers at Seqrite suspect that China could be leveraging Pakistan-based APT groups to barge in and gather intelligence from India that can benefit them in the on-going India-China conflicts. They further warned that these attacks can put intelligence agencies at risk of losing sensitive information which can be leveraged by both the neighbouring countries. This may happen directly via data exfiltration or indirectly via compromising an individual and compelling them to share confidential data.

Active since early 2019, ‘Operation Sidecopy’ has been using infecting vectors like LNK file, template injection, and equation editor vulnerability to target Indian defence forces. For Command & Control, it has been using Contabo GmbH, the most common hosting providers favoured by Transparent Tribe. According to Seqrite researchers, the malicious actors have been continuously developing malware modules and deploying the updated versions after analyzing the victim’s data and environment. Interestingly, these attackers were even keeping track of malware detected by a system’s AV and hence updating them immediately so that there is no trace left for further investigation.

Uncovering the attack

A couple of months ago, Seqrite’s next-generation behavioural detection technology alerted on a few processes running executable HTML files from non-reputed websites. In addition, the researchers noticed that offending processes had interesting names such as “Defence Production Policy 2020.docx.lnk”. When combined, these factors served as the trigger for advance investigation. Upon probing further, Seqrite researchers found that these attacks were targeted at Indian defence units and armed forces’ individuals.

The attack started with the victim receiving LNK files in the form of compressed ZIP/RAR via phishing emails. Since these files appeared to have realistic names and icons as if they are directly coming from the Government of India, the victims are likely to consider them authentic and get tricked into opening them.

Once opened, the malware runs in the system’s memory, and gradually downloads / installs other components, eventually stealing user data and uploading it to attacker-controlled servers. This attack made use of DLL-Sideloading technique (aka Black-White technique). A Microsoft signed a legitimate system process (credwiz.exe) was used to run malware via sideloading technique. After infiltrating the victim’s machine, the malware immediately restarts the victim’s device, to clear initial infection traces.

Related posts

HealthEdge and Global Software Consultancy, ThoughtWorks, Partner to Build a Global Development Center

SSI Bureau

Logsign appoints BD Soft to deliver its SIEM and SOAR platforms in the Indian Markets

SSI Bureau

Arrow PC: Drive Workforce Towards Transformation and Revolution With Dell Unified Workspace

SSI Bureau

8 comments

Arzzbd March 7, 2024 at 5:16 pm

atorvastatin 80mg brand atorvastatin for sale online order generic atorvastatin 10mg

Reply
Iixmoe March 18, 2024 at 11:36 pm

buy generic ciprofloxacin – buy ciprofloxacin 500 mg generic erythromycin 500mg oral

Reply
Fbejfa March 19, 2024 at 5:26 am

how to buy valacyclovir – valacyclovir usa buy acyclovir 800mg without prescription

Reply
Rfzomm March 21, 2024 at 2:16 am

stromectol 3mg online – suprax oral tetracycline oral

Reply
Hhfixk March 22, 2024 at 11:02 pm

lasix for sale online – buy generic candesartan capoten oral

Reply
Aaqzuo March 23, 2024 at 5:05 am

cost acillin order monodox pills buy amoxicillin cheap

Reply
Nqkrek March 26, 2024 at 5:00 am

zidovudine cost – allopurinol 100mg pills purchase zyloprim generic

Reply
Svjxxb March 29, 2024 at 9:09 am

clozapine usa – order clozapine generic pepcid ca

Reply

Leave a Comment

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More