Hackers of India

Evasion Tactics of SideCopy & APT36: Persistently targeting Indian Defense Orgs

By  Sathwik RAM Prakki  on 07 Aug 2023 @ C0c0n


Presentation Material

AI Generated Summarymay contain errors

Here is a summarized version of the content:

Threat Actor Campaign

A threat actor campaign has been identified, targeting government and defense sectors. The campaign uses phishing emails with malicious PPT files containing embedded malicious files, including Crimson Rat malware. The infection chain is basic compared to Side Copy.

Infection Chain

  1. Phishing email with a malicious PPT file.
  2. The PPT file contains embedded malicious files, including Crimson Rat.
  3. When opened, the PPT file extracts the malicious files using VBA macros.
  4. A decoy file is also extracted and opened in the foreground, while the malicious files are executed in the background.

Crimson Rat Malware

The Crimson Rat malware has 22 commands for C2 communication and uses a specific command called “put SRT” to maintain persistence multiple times. It can reconnect to the threat actor’s C2 infrastructure.

PDB Paths

The PDB path file contains random names, allowing attribution to the threat actor.

C2 Infrastructure

The threat actor’s C2 infrastructure uses a common target name or computer name and a specific RDP server with an open port 3389.

Targeting Universities

In addition to targeting defense entities, the threat actor has been targeting university students since last year, using themes related to IoT, assignment questions, and financial accounting. The goal is to gather student information, which may be sold to opposition groups.

Telemetry Spikes

The campaign started in Q4 2022 and peaked in February, with a slight reduction in activity. However, it remains prevalent currently.

Importance

It is essential for organizations to take necessary precautions to protect themselves from advanced persistent threat actors, who can impact critical operations and sabotage business operations.