An APT group has been identified targeting India’s defense forces and armed forces personnel under a campaign dubbed Operation Sidecopy since as early as 2019. This APT group has been linked to several campaigns and attacks in the past year.
What was discovered?
Recently, Seqrite researchers discovered that the threat actors have been confusing security researchers by copying TTPs usually implemented by the Sidewinder APT group.
The threat actors have been constantly developing and updating malware modules and deploying the updated versions after analyzing the reconnaissance of the victim’s data and environment.
It is suspected that the APT group behind the Operation Sidecopy campaign has potential connections with the Pakistan-based Transparent Tribe group.
How do they operate?
Starting with phishing emails, the attackers use a template injection attack and equation editor vulnerability (CVE-2017-11882) as the initial infection vector.
Attackers also use a backdoor module, data exfiltration tricks, and the DLL sideloading technique through the CactusTorch toolkit and other legitimate tools (dnSpy, MSHTA, and Credwiz).
Why is Transparent Tribe a suspect?
One of the signature traits that Seqrite believes can be traced to Pakistan’s Transparent Tribe (aka APT36) is the remote server that the collective uses.
The APT has been involved in intelligence collection operations against the Indian government and military personnel, recently.
In August, the group was observed targeting government and military organizations in India and Afghanistan by infecting USB devices.
In July, Transparent Tribe was using honey trapping techniques to lure their victims in defense organizations and other government organizations in India.
