SideCopy APT Targeting Indian Defense and Research Organization

Category: Threat Actor Activity | Industries: Defense, Research | Level: Tactical | Source: Cyble

A threat actor based in Pakistan, known as SideCopy APT, is actively focusing its efforts on targeting the Indian government's "Defence Research and Development Organisation." The Defence Research and Development Organisation (DRDO) is a government agency responsible for the research and development of advanced technologies intended for use by the Indian Armed Forces. Its primary focus is to develop state-of-the-art defense systems, such as missiles, radars, electronic warfare, and communication systems, as well as naval and aerospace systems.

SideCopy APT's latest campaign aims to drop a variant of the Action Remote Access Trojan (RAT). The infection chain begins from a spam email using a weaponized link to download a compressed zip file. Within the zip file, a shortcut (LNK) file and HTA file are housed to execute “mshta.exe” in order to connect to a remote address to fetch and run the retrieved HTA file. After dropping the required files onto the victim's system, the "cridviz.exe" process is started, which then proceeds to load the malicious payload "Duser.dll" through sideloading. The RAT can then proceed to gather information on the infected host, execute commands, exfiltrate data and communicate with the attacker's command and control (C2) server.

Anvilogic Scenario:

• HTA Payload Drop

Anvilogic Use Cases:

• MSHTA.exe execution
• Executable Create Script Process
• New AutoRun Registry Key

‍