FOCUS MODE
EXTRACT IOC
Threat Research

Goodbye HTA, Hello MSI: New TTPs and Clusters of an APT driven by Multi-Platform Attacks

Seqrite
Goodbye HTA, Hello MSI: New TTPs and Clusters of an APT driven by Multi-Platform Attacks
The Seqrite Labs APT team has identified significant advancements in tactics utilized by the Pakistan-linked SideCopy APT group, which are now targeting a broader range of sectors, including railways, oil & gas, and external affairs in addition to previous targets in India. The group has shifted from HTA files to MSI packages for deployment, demonstrating a sophisticated evolution in their operational methodologies, including the use of multiple remote access trojans (RATs) and credential phishing techniques. Affected: Indian Government, Defence, Railways, Oil & Gas, Higher Education.

Keypoints :

  • Pakistan-linked SideCopy APT has broadened its targeting beyond Indian government sectors to include railways, oil & gas, and ministries of external affairs.
  • Transition from HTML Application (HTA) files to Microsoft Installer (MSI) packages as a primary delivery method.
  • The group employs advanced techniques such as DLL side-loading, reflective loading, and AES decryption via PowerShell.
  • Utilization of multiple remote access trojans (RATs), including newly identified CurlBack RAT, Xeno RAT, and Spark RAT.
  • Deployment of phishing emails and compromised legitimate domains for credential theft.
  • Closer analysis reveals the use of decoy documents related to legitimate government programs for broader deception.
  • Continuing evolution of tactics and the sophistication of operations targeting both Windows and Linux systems.

MITRE Techniques :

  • T1589.002: Gather Victim Identity Information: Email Addresses (using compromised government email accounts).
  • T1566.002: Phishing: Spear phishing Link (deployment of malicious links in emails).
  • T1106: Native API (manipulation of Windows APIs to evade detection).
  • T1129: Shared Modules (utilization of shared modules for execution).
  • T1204.001: User Execution: Malicious Link (users tricked into executing malicious payloads).
  • T1053.003: Scheduled Task/Job: Cron (setting tasks for persistence).
  • T1548.002: Bypass User Account Control (circumventing UAC for privilege escalation).
  • T1036.005: Masquerading: Match Legitimate Name or Location (disguise of malicious files).
  • T1218.005: System Binary Proxy Execution: Mshta (using mshta to evade detection).
  • T1041: Exfiltration Over C2 Channel (transmission of data back to C2 servers).

Indicator of Compromise :

  • [Hash] a5410b76d0cb36786e00d2968d3ab6e4
  • [Hash] f404496abccfa93eed5dfda9d8a53dc6
  • [Hash] 0e57890a3ba16b1ac0117a624f262e61
  • [Domain] egovservice.in
  • [C2] 79.141.161[.]58:1256

Full Story: https://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/

Views: 61

Tags: TROJAN, GOVERNMENT, PERSISTENCE, WINDOWS, PRIVILEGE, CREDENTIAL, EXFILTRATION, COLLECTION