Pakistani threat actor ‘SideCopy APT’ targets Afghanistan and Indian government personals: Malwarebytes

data breach

Last week, Facebook took action against four distinct groups of hackers in Pakistan and Syria. SideCopy, a Facebook group from Pakistan has also been accused of targeting people with links to government, military, and law enforcement in Afghanistan and India.

Now Malwarebytes has published a detailed report showing how the group used romantic lures to compromise targets. Researchers at Malwarebytes claim that the group used to steal access to government portals, Facebook, Twitter, and Google credentials, banking information, and password-protected documents.

SideCopy APT has been operating since at least 2019 and was primarily targeting South Asian countries and more specifically India and Afghanistan.

They used three different methods: lnk files, Microsoft Publisher files, and Trojanized application as an initial infection vector. Once the target opens the malicious document, it leads to the execution of a loader. The loader drops next-stage remote access trojan called ActionRAT. This trojan is capable of uploading files, executing commands received from a server, and even downloading more payloads.

The threat action used phishing attacks on members of AOP (Administration Office of the President) of Afghanistan and gained access to ten of them and steal their credentials from different government services. There are also evidences that they infected one of the members of the Ministry of External Affairs in Afghanistan. Two members of the Ministry of Finance, Afghanistan were also hacked to collect personal accounts such as Google and Facebook and Bank accounts. The group was also able to steal several Office documents and databases associated with the Government of Afghanistan

The group also got access to a shared computer in India and harvested credentials from government and education services.

Back in September 2020, cybersecurity firm Quick Heal also revealed how the group perform attacks aimed at Indian defense units and armed forces personnel. Cisco Talos researchers also exported the hacking group’s myriad infection chains earlier this year.

Share this article
Shareable URL
Prev Post

‘Grid Legends’ arrives on February 25th

Next Post

Facebook Messenger gets a new bill splitting feature

Leave a Reply
Read next
Subscribe to our newsletter
Get notified of the best deals on our WordPress themes.
0
Share