Researchers Reveal More Details About SideCopy, the Pakistani Threat Actor Group
Indian and Afghan Governments Were Targeted By This Malicious Group.
A hacking group from Pakistan managed to perform Facebook, Twitter, and Google sensitive credentials theft. It seems that its targets were Afghan ministries and a shared government computer from India. The consequences were that it secretly could achieve access to government portals through stolen credentials obtained via social engineering techniques.
About the Pakistani Threat Actor Group
Facebook, now known as Meta, announced last week about an August action taken against a Pakistani threat actor dubbed SideCopy. They have carried out some activities to mitigate Sidecopy’s activities on the platform, as this was using romancing lures to target some Afghan individuals. Their announcement included this declaration:
Today, we are sharing actions we’ve taken against four distinct groups of hackers in Pakistan and Syria over the past several months. To disrupt these malicious groups, we disabled their accounts, blocked their domains from being posted on our platform, shared information with our industry peers, security researchers, and law enforcement, and alerted the people who we believe were targeted by these hackers.
The group from Pakistan — known in the security industry as SideCopy — targeted people who were connected to the previous Afghan government, military, and law enforcement in Kabul.
The researchers from Malwarebytes published a report on the second of December revealing new details about this Pakistani threat actor group, the came after Meta published the news on SideCopy.
Hossein Jazi, one of the researchers mentioned above, said that SideCopy uses lures like archive files that contain LNK, Microsoft Publisher, or Trojanized Applications files. The same researcher added that the embedded files are thus adjusted to have Afghan and Indian government and military officials as targets.
The Hackersnews publication also underlined the fact that the Administration Office of the President (AOP) of Afghanistan, the Ministry of Foreign affairs, the Ministry of Finance, and the National Procurement Authority were targeted and hackers managed to steal documents that were password-protected and also social media passwords. A shared computer from India was also targeted, as cybercriminals managed to collect credentials belonging to services from the government and educational fields.
The same publication mentions that the name of the threat actor group is due to its attempts to perform infection chain mimicking, infection chains associated with SideWinder.
How a SideCopy’s Cyberattack Works
Malwarebytes report emphasized that the group managed to siphon various Microsoft office documents from the websites belonging to the Afghan government. These files included officials’ names, officials’ email addresses and numbers, identity cards data, and diplomatic visas.
As the report underlines, the cyberattack begins with the target being determined to open a certain document, then a loader will be executed. This has the role to perform a next-gen RAT dropping that is dubbed ActionRAT. What can this remote access trojan do? Perform activities like: commands execution (various commands that come from a server), files uploading, and extent the number of payload downloads. The loader seems to also drop an AutoStealer, which is a data stealer, that has the role to gather Microsoft Office and PDF files, text files, images, and database files. This is a step that precedes the data exfiltration step.