1. Home
  2. Groups
  3. SideCopy

SideCopy

SideCopy is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. SideCopy's name comes from its infection chain that tries to mimic that of Sidewinder, a suspected Indian threat group.[1]

ID: G1008
Contributors: Pooja Natarajan, NEC Corporation India; Hiroki Nagahama, NEC Corporation; Manikantan Srinivasan, NEC Corporation India
Version: 1.0
Created: 07 August 2022
Last Modified: 24 October 2022
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

SideCopy has used a legitimate DLL file name, Duser.dll to disguise a malicious remote access tool.[1]
Enterprise T1598 .002 信息钓鱼: Spearphishing Attachment

SideCopy has crafted generic lures for spam campaigns to collect emails and credentials for targeting efforts.[1]
Enterprise T1574 .002 劫持执行流: DLL Side-Loading

SideCopy has used a malicious loader DLL file to execute the credwiz.exe process and side-load the malicious payload Duser.dll.[1]
Enterprise T1059 .005 命令与脚本解释器: Visual Basic

SideCopy has sent Microsoft Office Publisher documents to victims that have embedded malicious macros that execute an hta file via calling mshta.exe.[1]
Enterprise T1584 .001 基础设施妥协: Domains

SideCopy has compromised domains for some of their infrastructure, including for C2 and staging malware.[1]
Enterprise T1608 .001 暂存能力: Upload Malware

SideCopy has used compromised domains to host its malicious payloads.[1]
Enterprise T1106 本机API

SideCopy has executed malware by calling the API function CreateProcessW.[1]
Enterprise T1204 .002 用户执行: Malicious File

SideCopy has attempted to lure victims into clicking on malicious embedded archive files sent via spearphishing campaigns.[1]
Enterprise T1218 .005 系统二进制代理执行: Mshta

SideCopy has utilized mshta.exe to execute a malicious hta file.[1]
Enterprise T1614 系统位置发现

SideCopy has identified the country location of a compromised host.[1]
Enterprise T1082 系统信息发现

SideCopy has identified the OS version of a compromised host.[1]
Enterprise T1016 系统网络配置发现

SideCopy has identified the IP address of a compromised host.[1]
Enterprise T1518 软件发现

SideCopy has collected browser information from a compromised host.[1]
.001 Security Software Discovery

SideCopy uses a loader DLL file to collect AV product names from an infected host.[1]
Enterprise T1105 输入工具传输

SideCopy has delivered trojanized executables via spearphishing emails that contacts actor-controlled servers to download malicious payloads.[1]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

SideCopy has sent spearphishing emails with malicious hta file attachments.[1]

Software

ID Name Techniques
S1028 Action RAT Windows管理规范, 从本地系统获取数据, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 文件和目录发现, 混淆文件或信息, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 软件发现: Security Software Discovery, 输入工具传输
S1029 AuTo Stealer 从本地系统获取数据, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 数据分段: Local Data Staging, 系统信息发现, 系统所有者/用户发现, 软件发现: Security Software Discovery, 通过C2信道渗出, 非应用层协议

References

  1. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.