Several government organisations from India and Afghanistan have recently suffered from cyberattacks by the SideCopy APT actors from Pakistan that breached their Facebook, Google, and Twitter accounts and stole access to their government portals.
Researchers have dug deep into the new attack techniques and tools used by the APT group linked to the new attack discovery. This APT group operates by copying the infection chain done by another threat group called SideWinder.
As researchers explained, the SideCopy APT lures their victims using archive files embedded from an LNK file, trojanised applications, or Microsoft Publisher. These embedded files are leveraged to target government and military organisations from India and Afghanistan.
These gathered discoveries are based on Meta’s new cybersecurity measures that involve blocking malicious activities done by the SideCopy APT group on all of their platforms.
According to the researchers, the threat group uses the “romantic lures” technique to attack victims linked to Afghanistan’s government and military organisations.
The attacks observed by researchers are seemed to target staff from Afghanistan’s Administration Office of the President (AOP), National Procurement Authority, Ministry of Finance, and Ministry of Foreign Affairs. These attacks gathered social media credentials, such as accounts and passwords, and several password-protected sensitive documents. They also intruded Indian government’s shared-computer machines to steal credentials from both government and educational institutions.
The APT group stole many Microsoft Office documents containing officials’ names, numbers, email addresses, and databases holding data about staff’s identity cards, visas, and asset registrations within the Afghani government websites. These stolen data are believed to be exploited as decoys in the future or be used as an advantage to attack the victims as chance permits.
The detailed analysis of the attack begins as the victims open the lure documents that launch the loader to drop the next-stage remote access trojan ActionRAT. The RAT (Remote Access Trojan) can upload files, execute commands from a server, and download more payloads needed in the attack. Alongside ActionRAT, threat actors also drop an info stealer called AuTo Stealer to collect MS Office files, text files, images, PDF documents, and database files before the information gets exfiltrated to a server over HTTP of TCP.
In September 2020, SideCopy APT attacked Indian defence units and military forces to steal sensitive data. Then in July this year, researchers discovered that the APT group had been delivering infection chains in India via modified remote access trojans, including CetaRAT, njRAT, and Allakore.