SideCopy, the Pakistan-based advanced-persistent threat (APT) group whose accounts were recently disabled by Facebook for targeting Afghanistan, has also targeted Indians — specifically defence personnel, Malwarebytes, an American Internet security company said.
In a blog post titled, “SideCopy APT: Connecting lures to victims, payloads to infrastructure”, Hossein Jazi, a threat intelligence analyst at Malwarebytes said that Indian defence personnel including the Indian Army and National Cadet Corps (NCC) were targeted using archive (zip) files embedded with malicious applications. These files were —
- Designed and crafted to target specific victims
- Romantic lures
Through these lures, in one instance Malwarebytes was able to find that SideCopy had gained access to a machine and “collected a lot of credentials from government and education services”. This was the only instance where Malwarebytes provided India-specific details in regards to what data was exfiltrated.
Such cyber attacks point to an emerging trend of a country’s critical infrastructure such as defence, power, and so on, being targeted. They also raise questions on the cybersecurity awareness of government and military officials.
Those who read MediaNama are ahead of the curve. Support our journalism by subscribing here.
Pakistani group targeted Indian defence personnel with file names such as nisha.zip
Using romantic lures, which also find a mention in Facebook’s announcement about banning SideCopy from the platform, the Pakistan-based APT group targeted Indian defence personnel with archive file names such as —
- nisha.zip: This file contain a list of images with .3d extension and a malicious Trojan application named 3Dviewer.exe, which needed to be executed to load and view images, Jazi said in the blog post.
- image-random number.zip and WhatsApp-image-random number.zip: “These zip files contain a malicious link file that shows a girl picture as a decoy,” the post said.
The targeted lures for Indian government or defence personnel consisted of these file names —
address-list-ere-update-sep-2021.zip: Malwarebytes said that this archive file contained a malicious file, with a decoy PDF listing email facility with addresses of an Indian defence unit. “This lure seems to be used to target the Indian Army and National Cadet Corps of India,” Malwarebytes said.
- NCERT-NCF-LTV-Vislzr-2022.zip: This archive file too, like the previous one, contained a malicious link with a decoy PDF. “The decoy is a curriculum of the course named “Living the values, a value-narrative to grass-root leadership” offered by NCERT (National Council of Educational Research and Training of India),” Malwarebytes said.
A look into SideCopy’s infrastructure
Malwarebytes researchers gained access to the main command and control server used by the attacker to send the malicious files. They discovered that the server has four users with English names: Hendrick, Alexander, Hookes, and Malone.
The system has a dashboard that shows all the infected machines. “Each row in the dashboard shows one package and its statistics which includes the IP address of the victim, package name, OS version, User-Agent, browser information, country and victim status,” Jazi said in the blog.
India affected by Russian govt-backed Gmail phishing campaign
India, apart from the United States of America and the United Kingdom, was one among the most affected countries that were allegedly targeted by a Russian government-backed APt28/Fancy Bear Gmail phishing campaign, according to a report by Google’s Cybersecurity Action Team.
The report, a first of its kind, said that Google’s Cybersecurity Action Team observed a large-scale attack of a credential phishing campaign targeting more than 12,000 Gmail accounts by this threat actor. Fancy Bear earlier used to target Yahoo! and Microsoft users, the report said. Other countries that were targeted include Canada, Russia, Brazil, and members of the European Union.
- Ransomware gang goes offline as govt agencies hack its network in a tit-for-tat operation
- Acer India hit by ransomware attack, over 60 GB of files and databases stolen
- Pine Labs becomes latest victim of ransomware attack, 500,000 unique records exposed: Report
- Accenture becomes latest victim of a ransomware attack, but says no disruption to operations
- Tech giants Amazon, Google, and Microsoft partner with US cyber team to counter ransomware attacks
Have something to add? Subscribe to MediaNama here and post your comment.