Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Social Engineering

SideCopy APT Targets India's Premier Defense Research Agency

SideCopy APT Used Decoy Documents in Spear-Phishing Attack on DRDO
SideCopy APT Targets India's Premier Defense Research Agency
Visitors to Aero India 2019 rest in the shade outside the DRDO hall. (Source: Shutterstock)

Security researchers uncovered a Pakistani cyberespionage group employing fresh tactics to target workers at India's Defense Research and Development Organization and steal sensitive military secrets.

See Also: OnDemand | Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

Cybersecurity startup Cyble says Pakistani cyberespionage group SideCopy APT is apparently targeting the Indian government's premier defense technology research agency.

The researchers tracked SideCopy APT's use of research material as a decoy to plant info-stealing malware. DRDO uses its network of 52 laboratories across India and a pool of more than 5,000 scientists to develop, test and supply cutting-edge military technologies to the Indian armed forces.

SideCopy APT traditionally uses spear-phishing to gain initial entry. Emails in the latest campaign purportedly contain research material about military technologies sent as attachments.

Cyble said a phishing email sent to a DRDO worker carried a malicious zip attachment that contained a LNK file named DRDO - K4 Missile Clean room.pptx.lnk. The K-4 is a nuclear-capable submarine-launched ballistic missile developed by DRDO.

This phishing attack differed from other attacks because the zip file contained a PowerPoint file with actual information about the K-4 missile. The infection chain begins with the user extracting the file and running the .lnk file. That downloads an HTML application that opens the slide presentation.

It also begins a concatenation operation involving multiple HTML applications that ultimately results in dropping a variant of the Action Rat Malware whose files are loaded into the operating system with names that mimic essential Windows components.

The malware's capabilities include obtaining or retrieving information about specific files and available drives, installing additional payloads and transmitting files to the command-and-control server.

Cyble researchers told Information Security Media Group that SideCopy APT emulates the tactics of Sidewinder APT, a threat group believed to have Indian roots. "This group has been observed to target government and military officials in India and Afghanistan specifically and continuously evolves its techniques while incorporating new tools into its arsenal," they said.

SideCopy APT previously targeted the Indian Army, the National Cadet Corps of India and the National Council of Educational Research and Training using similar tactics (see: Report: SideCopy APT Used New Tactics in Recent Attacks).

Malwarebytes found in 2021 that the group had targeted Indian Army entities using a decoy PDF file named "Email facility address list of the ERE units: 20 Sept 2021." The threat group used the decoy file “Living the values, a value-narrative to grass-root leadership" when it targeted NCERT.


About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.asia, you agree to our use of cookies.