Threat Actor Profile: SideCopy

Operation SideCopy is a sophisticated cyber operation originating from Pakistan and primarily targeting Indian defense forces and personnel. Since its inception in early 2019, the threat group has demonstrated a high level of adaptability, continuously evolving its malware modules to avoid detection and maintain operational effectiveness. Notably, SideCopy closely monitors antivirus detections and promptly updates its modules in response.

The infrastructure associated with Operation SideCopy, particularly the command and control (C&C) infrastructure, is largely attributed to Contabo GmbH. This reliance on specific infrastructure providers aids in the group's operational security and resilience. Moreover, the network infrastructure utilized by SideCopy exhibits similarities with the tactics employed by the Transparent Tribe advanced persistent threat (APT) group, further complicating attribution efforts.

Security Officer Comments:

Once a victim interacts with the initial payload, typically disguised as a PDF or DOC file within a zip archive, a multi-stage infection process is initiated. This process involves the execution of malicious HTA (HTML Application) files, which ultimately lead to the deployment of remote access trojans (RATs) onto the victim's system. Notably, SideCopy has been observed exploiting vulnerabilities such as CVE-2023-38831 in WinRAR to facilitate its attacks.

SideCopy's primary focus is on the defense sector, primarily targeting Indian defense personnel. The group employs various tactics, such as phishing emails and compromised domains, to initiate its attacks. These emails are carefully crafted to appear legitimate, often leveraging current defense-related news and affairs to lure victims into opening malicious attachments or clicking on malicious links.

The arsenal of RATs utilized by SideCopy includes a diverse range of tools, each with its own capabilities and functionalities. These RATs include ActionRAT, Allakore RAT, Ares RAT, CetaRAT, DetaRAT, EpicenterRAT, Lilith RAT, njRAT, and ReverseRAT. These tools enable the threat actors to maintain persistent access to compromised systems, exfiltrate sensitive data, and execute various commands remotely.

In terms of network activities, SideCopy relies on compromised domains and hardcoded IPs for communication with its C&C infrastructure. The group frequently reuses network infrastructure, making it challenging for defenders to attribute specific malicious activities to individual campaigns.

Suggested Corrections:
Operation SideCopy is known to adopt tactics, techniques, and procedures (TTPs) reminiscent of other APT groups, such as SideWinder and Rattlesnake, possibly as a deliberate attempt to mislead security researchers. Additionally, there are suspicions of links between SideCopy and other threat actors, including Transparent Tribe and APT36.

Operation SideCopy poses a significant and persistent threat to Indian defense forces and personnel. The group's sophisticated attack chain, which includes spear-phishing campaigns and honeytrap lures, underscores the importance of robust cybersecurity measures to mitigate the risks posed by such adversaries.

MITRE attack:
Spearphishing Attachment
(T1193): SideCopy may use spearphishing emails with malicious attachments, such as ZIP files containing disguised link files or documents, to initiate their attacks.

Command and Control (T1043): SideCopy establishes communication with its command and control server using hardcoded IP addresses embedded within its payloads.

Exploit Public-Facing Application (T1190): SideCopy may exploit vulnerabilities in public-facing applications, such as the WinRAR security vulnerability, to gain initial access to target systems.

User Execution (T1204): SideCopy relies on user interaction to execute malicious attachments, such as opening ZIP files containing link files or documents disguised as PDF or DOC files.

Data Obfuscation (T1027): SideCopy may obfuscate its malicious payloads to evade detection by security tools and analysts.

Exfiltration Over Command and Control Channel (T1041): SideCopy may exfiltrate stolen data over its command and control channel to a remote server controlled by the threat actors.

Masquerading (T1036): SideCopy may masquerade its malicious payloads as legitimate files, such as PDF or DOC files, to deceive victims into executing them.