APT Group Targets India's Critical InfrastructureSeqrite: Campaign Apparently Has Ties to Pakistan
Researchers at Seqrite, the enterprise arm of Indian security firm Quick Heal, say they have uncovered a second wave of an advanced persistent threat campaign dubbed "Operation SideCopy" - with apparent ties to Pakistan - which is now targeting high-profile targets in India's telecom, power and finance sectors with spear-phishing.
The campaign first appeared in 2019, the researchers say. Seqrite attributes Operation SideCopy to the Pakistan-backed Transparent Tribe group, which it says is waging an espionage campaign against India's Home and Defense ministries as well as government contractors.
The researchers at Seqrite first exposed the operations of Operation SideCopy in 2020 (see: Hackers Target India's Military).
The Transparent Tribe group targets India, Afghanistan and other countries by using malicious tools, including a remote access Trojan called Crimson, according to a report by Kaspersky (see: APT Group Targeting Military Refines Its Tactics).
Researchers at Seqrite say they alerted the Indian government authorities to the latest campaign and are working with them to keep potential targets safe. The researchers say the latest APT campaign is a highly organized operation designed to evade most security mechanisms.
"This new finding has revealed that Operation SideCopy has expanded its target list to critical infrastructure. As part of the investigation, Seqrite researchers have discovered potential links between Operation SideCopy and its operators to Pakistan," researchers say in a report.
The APT group starts its campaign with spear-phishing emails. Phishing lures include a document on the implications of a U.S./China trade deal as well as COVID-19 themes, Seqrite reports.
The attackers attempt to lure targets into extracting an attached zip archive. Upon extraction, the user sees a document file that is an extension spoofed link (LNK) file.
"If the user opens the document, the LNK payload gets launched and initiates the malicious activities in the background. To ensure the user is not suspicious, a decoy document is presented to the user," the report says. Once the LNK file is launched, it downloads the HTA (HTML) payload from a compromised domain and executes it.
"This HTA file is responsible for showing the decoy document to the user. In addition, it drops an executable of LimShell on a disc and executes it. Most of the backdoors used in this campaign are variants of NJRat, however, in one specific case, we came across a new payload written in C# which installs an implant that helps the attacker examine the target and install other backdoors," researchers note.
An analysis of the attack chain, the command-and-control server communication and the available telemetry data identified some compromised websites that are being used to host the attack scripts and act as C2 servers, the researchers say.
According to the Seqrite white paper on the attack, further analysis of data accessible from some C2 servers led researchers to an IP address that was commonly found across different C2 servers. In fact, this IP address turned out to be the first entry in many logs, which indicated that the corresponding system is likely being used for testing the attack before launch.
The APT group has enhanced its attack tools and methods since last year to make detection more difficult, Seqrite researchers say.
The final payload can capture sensitive information, including screenshots, keystrokes and files. In addition, it can execute commands specified as part of instructions from C2 servers.
"This shows that this attack group is well funded and is actively improving its attack mechanisms to infiltrate the target entities. The group can potentially steal critical intel from government agencies and their bodies. They can even use that information to make more lures and target other government departments," the researchers note.
Links to Pakistan
The provider of an IP address used for the campaign is Pakistan Telecommunication Company Ltd., the researchers say, adding to evidence that the campaign originates in Pakistan.
"The list of high-profile targets that were identified through the analyzed C2s is likely only a subset of targets, since there are several other C2s being used in Operation SideCopy APT, which are probably targeting other entities," the report says.