• Active since 2019, ‘Operation SideCopy’ appears to be cyber espionage campaign by Pakistan backed Transparent Tribe group against critical Indian departments such as defense, home, and government contractors.
• Latest attacks are using Covid-19 as a lure and the e-mail content attempts to lure the user into extracting the attached zip archive.
• Seqrite had alerted the Government authorities and are working with them to keep potential targets safe.  

Seqrite, an enterprise arm of Quick Heal Technologies, have come across a new wave of a cyber espionage campaign by the Pakistani APT group (Operation SideCopy) aimed at high profile targets of critical infrastructure public sector enterprises from telecom, power and finance sectors.

Researchers at Seqrite had exposed the operations of Operation SideCopy for the first time in September 2020, targeting Indian defence units.

Active since 2019, the findings revealed that Operation SideCopy has expanded its target list to critical infrastructure. As part of the investigation, the researchers have discovered potentials links between Operation SideCopy and its operators to Pakistan.

The APT group has now added new malware tools to its arsenal. Another attack campaign that they had discovered was in March 2021, part of the more extensive SideCopy campaign. The spear-phishing attack campaign used the Army Welfare Education Society’s scholarship form as a lure.

Choosing targets carefully

The latest attacks are using Covid-19 as a lure and the e-mail content attempts to lure the user into extracting the attached zip archive.

Upon extraction, the user would see a document file which is in fact an extension spoofed LNK file which is usually seen as shortcuts.

If the user opens the document, the LNK payload gets launched and initiates the malicious activities in the background. To ensure the user is not suspicious, a decoy document is also presented.

The APT group carefully chooses their targets, upgrades tools in their arsenal based on the targets, and mainly uses limited but effective functionality in being evasive.

Most of the backdoors used in the campaign are NJRat; however, in one specific case, we came across a new payload written in C#, which installs an implant enabling attacker to examine the target and install other backdoors.

Leveraging compromised websites

According to the Seqrite report, threat actors were leveraging compromised websites, which resemble the websites that the targeted organisations would generally access. This shows that attackers did detailed reconnaissance before launching the attack campaign.

Upon thorough analysis of the attack chain, the command-and-control (C2) server communication, and the available telemetry data, researchers at Seqrite could identify some compromised websites that are being used to host the attack scripts and act as C2 servers.

Further analysis of data accessible from some C2 servers led researchers at Seqrite to an IP address that was commonly found across different C2 servers.

In fact, this IP address turned out to be the first entry in many logs, which indicated that the corresponding system is likely being used for testing the attack before launch.

Further investigation of that IP, using data from whatismyipaddress.com, revealed that the provider of that IP address is Pakistan Telecommunication Company Limited (PTCL). This revelation further strengthens the claim that Operation SideCopy which is operated by the Transparent Tribe group is originating in Pakistan.

The report further revealed the lists of targets were identified through the analysed C2s. These targets include critical infrastructure of telecom, power, and finance sectors. This is likely only a subset of targets since there are several other C2s being used in Operation SideCopy APT, which are probably targeting other entities.

Seqrite had alerted the Government authorities and are working with them to keep potential targets safe.