Threat Actor SideCopy
About
SideCopy APT, active since at least 2019, is a Pakistani threat actor group, targeting many South Asian countries especially India and Afghanistan. Reportedly, it has similarities with Transparent Tribe, APT36, and may be a subdivision of this actor. They generally use archive files as lures, that contains some embedded files like, Lnk, Microsoft Publisher or Trojanized Applications. The lures are of two types:
- Targeted lures- They are specially designed and crafted to target specific victims, such as, government or military officials.
- Generic lures- As the name suggests, they are generic like those used in spam campaign to collect emails and credentials that can help the actor performing their targeted attack. These are the ones named as " romantic lures" in a Facebook report.
Attack Method
SideCopy uses spear-phishing email as its main attack tactic. They lure their victims to click on a link containing an attached malicious file. This way they can start corrupting the system and collect desired information.
They disguise the downloader as a short file, and send it to the victims via phishing emails. When the victims decompress and execute the bait file, the program downloads the data file from the remote server to the local machine, decrypt, and execute it, ultimately loading the remote control software AckRAT.
Prevention
In order to overcome such attacks a highly advanced cybersecurity program must be utilized. It should also contain some of the most advanced security solutions, email as well as web content filtering, antiviruses, and threat hunting measures. Application of Zero Trust Model, Multifactor Authentication, in-depth defense, etc., are a must to prevent and mitigate the potential damage done by SideCopy.
Comments
Post a Comment