G1008 SideCopy

SideCopy is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. SideCopy‘s name comes from its infection chain that tries to mimic that of Sidewinder, a suspected Indian threat group.¹

Item	Value
ID	G1008
Associated Names
Version	1.0
Created	07 August 2022
Last Modified	24 October 2022
Navigation Layer	View In ATT&CK® Navigator

Techniques Used

Domain	ID	Name	Use
enterprise	T1059	Command and Scripting Interpreter	-
enterprise	T1059.005	Visual Basic	SideCopy has sent Microsoft Office Publisher documents to victims that have embedded malicious macros that execute an hta file via calling `mshta.exe`.¹
enterprise	T1584	Compromise Infrastructure	-
enterprise	T1584.001	Domains	SideCopy has compromised domains for some of their infrastructure, including for C2 and staging malware.¹
enterprise	T1574	Hijack Execution Flow	-
enterprise	T1574.002	DLL Side-Loading	SideCopy has used a malicious loader DLL file to execute the `credwiz.exe` process and side-load the malicious payload `Duser.dll`.¹
enterprise	T1105	Ingress Tool Transfer	SideCopy has delivered trojanized executables via spearphishing emails that contacts actor-controlled servers to download malicious payloads.¹
enterprise	T1036	Masquerading	-
enterprise	T1036.005	Match Legitimate Name or Location	SideCopy has used a legitimate DLL file name, `Duser.dll` to disguise a malicious remote access tool.¹
enterprise	T1106	Native API	SideCopy has executed malware by calling the API function `CreateProcessW`.¹
enterprise	T1566	Phishing	-
enterprise	T1566.001	Spearphishing Attachment	SideCopy has sent spearphishing emails with malicious hta file attachments.¹
enterprise	T1598	Phishing for Information	-
enterprise	T1598.002	Spearphishing Attachment	SideCopy has crafted generic lures for spam campaigns to collect emails and credentials for targeting efforts.¹
enterprise	T1518	Software Discovery	SideCopy has collected browser information from a compromised host.¹
enterprise	T1518.001	Security Software Discovery	SideCopy uses a loader DLL file to collect AV product names from an infected host.¹
enterprise	T1608	Stage Capabilities	-
enterprise	T1608.001	Upload Malware	SideCopy has used compromised domains to host its malicious payloads.¹
enterprise	T1218	System Binary Proxy Execution	-
enterprise	T1218.005	Mshta	SideCopy has utilized `mshta.exe` to execute a malicious hta file.¹
enterprise	T1082	System Information Discovery	SideCopy has identified the OS version of a compromised host.¹
enterprise	T1614	System Location Discovery	SideCopy has identified the country location of a compromised host.¹
enterprise	T1016	System Network Configuration Discovery	SideCopy has identified the IP address of a compromised host.¹
enterprise	T1204	User Execution	-
enterprise	T1204.002	Malicious File	SideCopy has attempted to lure victims into clicking on malicious embedded archive files sent via spearphishing campaigns.¹

Software

ID	Name	References	Techniques
S1028	Action RAT	-	Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Data from Local System Deobfuscate/Decode Files or Information File and Directory Discovery Ingress Tool Transfer Obfuscated Files or Information Security Software Discovery:Software Discovery System Information Discovery System Network Configuration Discovery System Owner/User Discovery Windows Management Instrumentation
S1029	AuTo Stealer	-	Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Data from Local System Local Data Staging:Data Staged Exfiltration Over C2 Channel Non-Application Layer Protocol Security Software Discovery:Software Discovery System Information Discovery System Owner/User Discovery

References

Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩