A threat actor from Pakistan was effective in socially engineering several ministries in Afghanistan and a shared government computer in India to acquire crucial Google, Twitter, and Facebook passwords from its targets and access government websites invisibly.
The recent discoveries from Malwarebytes go into great depth regarding the new methods and tools used by the APT group known as SideCopy, which got its name from its attempts to duplicate the infection chains of another organization monitored as SideWinder to deceive attribution.
Hossein Jazi, a Malwarebytes researcher, stated, “the lures used by SideCopy APT are usually archived files that have embedded one of these files: LNK, Microsoft Publisher or Trojanized Applications.” He went on to say that the inserted data are aimed at Afghan and Indian governments and military leaders.
According to recent revelations, meta made efforts to restrict destructive actions carried out by the organization on its platform by utilizing romantic lures to compromise individuals with links to the Afghan government, military, and law enforcement in Kabul.
The theft of social media passwords and password-protected data occurred against people linked with the Administration Office of the President (AOP) of Afghanistan, as well as the Ministry of Finance, Ministry of Foreign Affairs, and the National Procurement Authority. In India, SideCopy got into a shared computer and stole credentials from government and educational institutions.
Moreover, the attacker is believed to have stolen many Microsoft Office documents from Afghani government websites, inclusive of names, email addresses, and phone numbers of officials, as well as databases including information on identity cards, diplomatic visas, and asset registrations, all of which are intended to be employed as decoys in the future or to fuel more attacks on the individuals themselves.
The target of Malwarebytes’ cyber-espionage effort opens the lure document, which triggers the execution of a loader, which drops a next-stage remote access trojan named ActionRAT, which is capable of uploading data, performing server instructions, and even downloading additional payloads.
The loader also drops a new information stealer called AuTo Stealer, and it’s configured to gather Microsoft Office files, PDF documents, text files, database files, and photos before sending them to its server through HTTP or TCP.
It isn’t the first time SideCopy APT’s methods have been exposed. Quick Heal, a cybersecurity firm, disclosed details on an espionage attack directed at Indian military units and armed forces personnel since at least 2019, to steal vital information in September 2020.
Then, in July, Cisco Talos researchers revealed the hacking group’s several infection chains distributing custom and commodity remote access trojans, including CetaRAT, Allakore, and njRAT, in what they described as an extension of malware attacks targeting Indian companies.