Hackers Target India's MilitaryResearchers Say 'Operation SideCopy' Uses Phishing, Malware to Steal Data
A recently uncovered hacking campaign is targeting India’s defense forces, including individual soldiers, with phishing emails and malware designed to steal data, according to Seqrite Cyber Intelligence Lab.
The campaign, dubbed "Operation SideCopy," may have started early in 2019 and appears to be ongoing, says Seqrite, the enterprise arm of security firm Quick Heal.
Hackers are deploying phishing emails and spam that use logs and other images from official Indian government websites to make the malicious messages appear authentic and to entice victims to click, according to the report.
The Seqrite report also notes that the hackers are continually changing and developing the malware to help avoid detection.
"The threat actors continuously change samples, though the attack tactics, techniques and procedures remain the same," Himanshu Dubey, director at Quick Heal Security Labs, tells Information Security Media Group. "We are constantly monitoring new variants and changes to malware code and the command and control servers."
Seqrite researchers have alerted India’s government about the campaign.
Starts With Phishing
The Operation SideCopy campaign’s phishing emails sometimes contain a Microsoft LNK shortcut file in a zip or rar file, according to the report. In some cases, the files are named "Defence Production Policy 2020.docx.lnk," to help entice.
The LNK files sometimes contain a decoy document disguised as an official India statement about the defense forces or "honey trap" images of women. This obfuscates malicious code that is downloaded in the background to help install malware.
"Once opened, the malware runs in the system's memory and gradually downloads and installs other components, eventually stealing user data and uploading it to attacker-controlled servers," according to the report. "This attack made use of Dynamic Link Library- Sideloading technique. A legitimate Microsoft system process (credwiz.exe) was used to run malware via sideloading technique. After infiltrating the victim’s machine, the malware immediately restarts the victim's device to clear initial infection traces."
In other cases, instead of using the LNK files, the hackers send phishing emails with malware used to take advantage of a vulnerability in Microsoft Equation Editor - an Office component. From there, the attackers then download their primary payload, according to the report.
Once the hackers establish a foothold within a device, they typically deploy other types of malware, mainly remote access Trojans, which create a backdoor, connect to a command-and-control server and perform other functions, such as exfiltrating data, the researchers discovered.
One RAT, which was created from the .NET framework, is used for a variety of function, including downloading and executing files, uploading files, running processes, deleting files, renaming files and creating directories.
Links to Pakistan?
Some of the modules used to create the malware deployed in this campaign are similar to malicious code used by an advanced persistent threat group called "Sidewinder" that has been linked to hackers from India, according to the report.
But Seqrite researchers also noticed that much of the command-and-control infrastructure was hosted on Contabo GmbH, a hosting provider that is currently favored by threat actors based in Pakistan.
The Seqrite researchers believe that hackers using this hosting provider have connections to a well-established threat group called "Transparent Tribe." That group targets India, Afghanistan and other countries with malicious tools, including a RAT called Crimson, that is also built on .NET, according to a eport by Kaspersky (see: APT Group Targeting Military Refines Its Tactics).