SideCopy APT Targets Indian and Afghan Governments

What has happened?

• SideCopy APT group specifically curated malicious files to target government and military officials from India and Afghanistan.
• The attacks targeted personnel working with the Administration Office of the President of Afghanistan, Ministry of Finance, Ministry of Foreign affairs, and the National Procurement Authority.
• The attackers stole various Office documents, such as numbers, names, email addresses of officials, and databases, including identity cards, diplomatic visas, and asset registrations from Afghani websites.
• They also stole social media passwords and password-protected documents from Afghanistan targets.
• Additionally, they hacked shared computers in India and collected credentials from education and government services.

The operational aspect

• The group used archive files embedded in LNK, Microsoft Publisher, or trojanized applications as lures to target its victim.
• The campaign tricked users into opening a document that led to the execution of a loader that drops a next-stage remote access trojan named ActionRAT, which has multiple features.
• Moreover, the loader was used to drop a new information stealer, AuTo Stealer, which collects PDF documents, Office/text/database files, and images before sending the info over HTTP or TCP.

Conclusion