• Wed. Oct 18th, 2023

FortiGuard Labs Found a File Intended to Spread Malware, Similar to the SideCopy APT Organization

Avatar photo

ByEsme Greene

Jul 8, 2023
FortiGuard Labs discovered SideCopy-like malware
Esme Greene
Latest posts by Esme Greene (see all)

The file made mention of a nuclear missile that was in development as well as a state-run military research institute in India. The organization has matched its targeting with the government of Pakistan’s aims and objectives. 

Getting into specifics

The first attack route is thought to be a phishing email with the “DRDO-K4-Missile-Clean-room[.]zip” Zip file, which contains three files, two of which are intended to be deployed in a subfolder of the extraction site.

Security companies warned about SideCopy’s usage of DRDO-related decoys for malware spread in March and April. Both Action RAT and AllaKore RAT are loaded and run by the assault chains, according to observations. 

18 possible victims in India have been connected to C2 networks related to Action RAT, while 236 different potential victims in India have been connected to C2 servers linked to AllaKore RAT.

The Research

The most recent report from Fortinet demonstrates a comparable infection chain that results in the deployment of an unidentified RAT that talks with a remote server and releases further payloads. This demonstrates that SideCopy continues to spread malware through spear-phishing emails impersonating the Indian government and military forces.

The Company’s Tools 

SideCopy’s latest operation seems to have used SILENTTRINITY, a more modern and complete tool that serves as a full-featured post-exploitation framework comparable to Empire or Cobalt Strike, rather than CACTUSTORCH to distribute malware obfuscated through JavaScript and VBScript. 

It enables the direct execution of Microsoft. Net code without the need for PowerShell as an intermediary step, in contrast to CACTUSTORCH. It is unknown if the tool was used by the backend in charge of providing the file or any of its later phases, even though the payload was created using it.

Recent Versions

The most recent revelations demonstrate SideCopy’s connection to Pakistan and highlight its successful targeting of Indian customers. People using internet connections from Pakistan are in charge of managing the infrastructure for Action RAT’s connection to SideCopy. Victim action was seen to have occurred months before the campaign’s public revelation.

Avatar photo

Esme Greene

Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.