New Malware Targets India's Defense PersonnelTarget, Attack Method Point to APT Group SideCopy
Researchers have identified a new malware sample that is targeting Indian defense personnel.
The malware code was discovered by an unidentified independent threat hunter who tweets as @s1ckb017. The person tells Information Security Media Group that they detected the malicious file using YARA rules, but declined to offer further details.
Atlanta-based cyber threat intelligence firm Cyble, which studies advanced persistent threat groups extensively, says the target and attack method of the malware point to the work of APT group SideCopy.
SideCopy has previously targeted the Indian government sector, specifically defense establishments, according to Cyble. The group, Cyble's research report shows, uses various remote access Trojans and malware to launch campaigns through phishing and delivers malware payloads via email.
The malware file, embedded in a malicious app, has an x86 architecture, with a Windows-based graphical user interface application written in .NET language, Cyble's researchers say.
The icon of the malicious app bears the logo of the Canteen Stores Department, an Indian Ministry of Defense enterprise, to make it appear legitimate, Kaustubh Medhe, head of research and cyber threat intelligence at Cyble, tells Information Security Media Group.
The legitimate Canteen Stores Department app is used extensively by defense personnel to purchase goods at subsidized prices and is listed on Google Play Store.
Once downloaded and executed, the malware can perform functions such as device fingerprinting, evasion, command and control, data exfiltration and persistence, he says.
"Considering the composition and behavior of the malware, it appears to have been designed with information theft and espionage as the primary motive," he says.
With respect to intrusion detection, Medhe says that at the moment, AFD CSD APP.vhdx - the first-stager malware - has not been detected or flagged as malicious by any antivirus software.
Malware Delivery and Execution
Cyble researchers say the malware, after execution, ensures that the victim's operating system time zone is set to India Standard Time. It exits the system if any other active time zone is detected in the operating system, they say.
After confirming that only a single instance of the malware is running on the target's system, the malware opens the Canteen Stores Department website on the system's browser and loads the module to execute the malicious malware code.
Medhe explains that when a victim installs the first-stage payload, the malware creates a virtual mount disk that includes a file named csd_applaunch.exe. In the next stage of attack, a directory called Intel Wifi is created in the C: drive. The malware then downloads the next stager payload from the URL https://secure256.net/ver4.mp3.
Post-execution, the malware connects with the attacker's command-and-control server and sends it the targeted system's OS version, local IP, antivirus software installed and the system's current username, The malware then goes dormant.
"This is how the malware creates and maintains persistence in the target's system," Medhe says.
SideCopy APT Group
The SideCopy APT group has been known to prefer custom remote access tools as its vector of choice, Medhe says.
"Since this particular multistage malware also has remote access capabilities, there is a possibility that it [SideCopy] may be involved. It is also known to have nation-state affiliations and has targeted India in the past," Medhe says.
The website for the Thailand Computer Emergency Response Team, known as Thai CERT, shows that the SideCopy APT group originates from Pakistan.
But accurate attribution is always difficult as threat actor groups are known to borrow tactics, techniques and, procedures from other groups Medhe adds.
According to Cisco's threat intelligence arm, Cisco Talos, SideCopy is an APT group that mimics Sidewinder APT group's infection chains to deliver its own set of malware. The report also says that there has been an increase in SideCopy's activities targeting Indian government personnel using tactics similar to those of the group APT36 - aka Mythic Leopard and Transparent Tribe.
Talos' study also shows that SideCopy's methods include "using decoys posing as operational documents belonging to the military and honey trap-based infections."
Medhe says that there are various threat actor groups operating from Asia that target the Indian government and defense establishments, as well as national critical infrastructure, on a regular basis.
"These groups fall into two categories: They are either rogue nation-state-affiliated actors who engage in intellectual property theft, reconnaissance, surveillance, or espionage as their primary goal or they are organized cybercriminal syndicates or ransomware groups driven by pure financial gain," he adds.