1. Home
  2. Groups
  3. SideCopy

SideCopy

SideCopy is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. SideCopy's name comes from its infection chain that tries to mimic that of Sidewinder, a suspected Indian threat group.[1]

ID: G1008
Contributors: Pooja Natarajan, NEC Corporation India; Hiroki Nagahama, NEC Corporation; Manikantan Srinivasan, NEC Corporation India
Version: 1.0
Created: 07 August 2022
Last Modified: 24 October 2022
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

SideCopy has sent Microsoft Office Publisher documents to victims that have embedded malicious macros that execute an hta file via calling mshta.exe.[1]
Enterprise T1584 .001 Compromise Infrastructure: Domains

SideCopy has compromised domains for some of their infrastructure, including for C2 and staging malware.[1]
Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

SideCopy has used a malicious loader DLL file to execute the credwiz.exe process and side-load the malicious payload Duser.dll.[1]
Enterprise T1105 Ingress Tool Transfer

SideCopy has delivered trojanized executables via spearphishing emails that contacts actor-controlled servers to download malicious payloads.[1]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

SideCopy has used a legitimate DLL file name, Duser.dll to disguise a malicious remote access tool.[1]
Enterprise T1106 Native API

SideCopy has executed malware by calling the API function CreateProcessW.[1]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

SideCopy has sent spearphishing emails with malicious hta file attachments.[1]
Enterprise T1598 .002 Phishing for Information: Spearphishing Attachment

SideCopy has crafted generic lures for spam campaigns to collect emails and credentials for targeting efforts.[1]
Enterprise T1518 Software Discovery

SideCopy has collected browser information from a compromised host.[1]
.001 Security Software Discovery

SideCopy uses a loader DLL file to collect AV product names from an infected host.[1]
Enterprise T1608 .001 Stage Capabilities: Upload Malware

SideCopy has used compromised domains to host its malicious payloads.[1]
Enterprise T1218 .005 System Binary Proxy Execution: Mshta

SideCopy has utilized mshta.exe to execute a malicious hta file.[1]
Enterprise T1082 System Information Discovery

SideCopy has identified the OS version of a compromised host.[1]
Enterprise T1614 System Location Discovery

SideCopy has identified the country location of a compromised host.[1]
Enterprise T1016 System Network Configuration Discovery

SideCopy has identified the IP address of a compromised host.[1]
Enterprise T1204 .002 User Execution: Malicious File

SideCopy has attempted to lure victims into clicking on malicious embedded archive files sent via spearphishing campaigns.[1]

Software

ID Name Techniques
S1028 Action RAT Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Deobfuscate/Decode Files or Information, File and Directory Discovery, Ingress Tool Transfer, Obfuscated Files or Information, Software Discovery: Security Software Discovery, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, Windows Management Instrumentation
S1029 AuTo Stealer Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Data Staged: Local Data Staging, Exfiltration Over C2 Channel, Non-Application Layer Protocol, Software Discovery: Security Software Discovery, System Information Discovery, System Owner/User Discovery

References

  1. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.