The cyber security researchers spotted out the evidence on cyberespionage campaign against Indian defense units and armed forces. Sensitive infomation has been stealing since 2019 using this method. The attacks have been attributed to an advanced persistent threat (APT) group that has successfully managed to stay under the radar by “copying” the tactics of other threat actors such as the SideWinter.
How the operation SideCopy works?
- Sending email with an embedded malicious attachment, either a ZIP file containing an LNK file or a Microsoft Word document.
- This triggers an infection chain via a series of steps to download the final-stage payload.
The most interesting part is that attackers exploited template injection and Microsoft Equation Editor flaw (CVE-2017-11882), which is a 20-year old memory corruption issue in Microsoft Office. When exploited successfully, attackers was able to execute remote code on a vulnerable machine even without user interaction. Microsoft addressed this issue in a patch released in November 2017 .
The LNK files have a double extension and come with document icons, thereby tricking an unsuspecting victim into opening the file. Once opened, the LNK files abuse “mshta.exe” to execute malicious HTA (short for Microsoft HTML Applications) files that are hosted on fraudulent websites, with the HTA files created using an open-sourced payload generation tool called CACTUSTORCH.
