SideCopy, a Pakistani threat actor, has been targeting the Indian and Afghan governments with espionage attacks. The group has stolen sensitive Google, Twitter, and Facebook credentials and access to government portals. SideCopy is suspected to be a subgroup of APT36.

What has happened?

According to Malwarebytes, the group tried to mimic the infection chains of another group, SideWinder, to mislead attribution. 
  • SideCopy APT group specifically curated malicious files to target government and military officials from India and Afghanistan.
  • The attacks targeted personnel working with the Administration Office of the President of Afghanistan, Ministry of Finance, Ministry of Foreign affairs, and the National Procurement Authority.
  • The attackers stole various Office documents, such as numbers, names, email addresses of officials, and databases, including identity cards, diplomatic visas, and asset registrations from Afghani websites.
  • They also stole social media passwords and password-protected documents from Afghanistan targets.
  • Additionally, they hacked shared computers in India and collected credentials from education and government services.

All of the stolen information could be used in future decoys or further attacks against the targeted individuals.

The operational aspect

  • The group used archive files embedded in LNK, Microsoft Publisher, or trojanized applications as lures to target its victim.
  • The campaign tricked users into opening a document that led to the execution of a loader that drops a next-stage remote access trojan named ActionRAT, which has multiple features.
  • Moreover, the loader was used to drop a new information stealer, AuTo Stealer, which collects PDF documents, Office/text/database files, and images before sending the info over HTTP or TCP.

Conclusion

Nation-state actors are known to target their adversaries in geographical regions aligned with their interests. SideCopy seems to be doing the same and is expected to continue its operations. Thus, government entities are suggested to invest more in security and stay vigilant against such threat groups.

Cyware Publisher

Publisher

Cyware