{"id":8119,"date":"2021-07-12T12:45:36","date_gmt":"2021-07-12T15:45:36","guid":{"rendered":"https:\/\/www.fie.undef.edu.ar\/ceptm\/?p=8119"},"modified":"2021-07-12T12:46:46","modified_gmt":"2021-07-12T15:46:46","slug":"operacion-sidecopy","status":"publish","type":"post","link":"https:\/\/www.fie.undef.edu.ar\/ceptm\/?p=8119","title":{"rendered":"Operaci\u00f3n SideCopy"},"content":{"rendered":"<p>El equipo de inteligencia de amenazas de Quick Heal descubri\u00f3 recientemente evidencia de una amenaza persistente avanzada (APT) contra las fuerzas de defensa indias. El an\u00e1lisis muestra que muchas campa\u00f1as antiguas y ataques en el \u00faltimo a\u00f1o se relacionan con la &#8216;Operaci\u00f3n SideCopy&#8217;. Esta operaci\u00f3n cibern\u00e9tica ha tenido como objetivo las fuerzas de defensa y el personal de las fuerzas armadas de la India.<\/p>\n<hr \/>\n<p><strong>Introduction<\/strong><\/p>\n<p class=\"selectionShareable\">Quick Heal\u2019s threat intelligence team recently uncovered evidence of an advanced persistent threat (APT) against Indian defence forces. Our analysis shows that many old campaigns and attack in the past one year relate to \u2018Operation SideCopy\u2019 by common IOCs.<\/p>\n<p><strong>Key Findings<\/strong><\/p>\n<ul>\n<li>Operation SideCopy is active from early 2019, till date.<\/li>\n<li>This cyber-operation has been only targeting Indian defence forces and armed forces personnel.<\/li>\n<li>Malware modules seen are constantly under development and updated modules are released after a reconnaissance of victim data.<\/li>\n<li>Actors are keeping track of malware detections and updating modules when detected by AV.<\/li>\n<li>Almost all CnC belongs to Contabo GmbH and server names are similar to machine names found in the Transparent Tribe report.<\/li>\n<li>This threat actor is misleading the security community by copying TTPs that point at Sidewinder APT group.<\/li>\n<li>We suspect this threat actor has links with Transparent Tribe APT group.<\/li>\n<\/ul>\n<p class=\"selectionShareable\">The highlighted ones were sent to targets across Indian defence units and armed forces individuals.<\/p>\n<p class=\"selectionShareable\">We started tracking this campaign as it was targeting critical Indian organizations.<\/p>\n<p class=\"selectionShareable\">Traces of this operation can be tracked from early 2019 till date. Till now, we have observed 3 infection chain process.<\/p>\n<p class=\"selectionShareable\">Initial infection vector in two of the chains was LNK file, that came from a malspam. But in one case, we saw attackers making use of template injection attack and equation editor vulnerability (CVE-2017-11882) as the initial infection vector. Though the initial infection vector is different in the third case, the final payload is similar to the first two chains.<\/p>\n<p class=\"selectionShareable\">Below images will provide an overview of malware infection in victim machines.<\/p>\n<p><strong>Infection Chain \u2013 Version 1:<\/strong><\/p>\n<p><img loading=\"lazy\" class=\"aligncenter size-full wp-image-8120\" src=\"https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2021\/07\/1.png\" alt=\"\" width=\"842\" height=\"454\" srcset=\"https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2021\/07\/1.png 842w, https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2021\/07\/1-300x162.png 300w, https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2021\/07\/1-768x414.png 768w\" sizes=\"(max-width: 842px) 100vw, 842px\" \/><\/p>\n<p><strong>Infection Chain \u2013 Version 2:<\/strong><\/p>\n<p><img loading=\"lazy\" class=\"aligncenter size-full wp-image-8121\" src=\"https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2021\/07\/2.png\" alt=\"\" width=\"826\" height=\"449\" srcset=\"https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2021\/07\/2.png 826w, https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2021\/07\/2-300x163.png 300w, https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2021\/07\/2-768x417.png 768w\" sizes=\"(max-width: 826px) 100vw, 826px\" \/><\/p>\n<p><strong>Infection Chain \u2013 Version 3:<\/strong><\/p>\n<p><img loading=\"lazy\" class=\"aligncenter size-full wp-image-8122\" src=\"https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2021\/07\/3.png\" alt=\"\" width=\"786\" height=\"385\" srcset=\"https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2021\/07\/3.png 786w, https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2021\/07\/3-300x147.png 300w, https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2021\/07\/3-768x376.png 768w\" sizes=\"(max-width: 786px) 100vw, 786px\" \/><\/p>\n<p class=\"selectionShareable\">We have provided an in-depth analysis of each of this module in our latest report which <a href=\"https:\/\/bit.ly\/3iRyceq\" target=\"_blank\" rel=\"noopener nofollow\" data-wpel-link=\"external\">can be found here<\/a>.<\/p>\n<p class=\"selectionShareable\">The background and analysis in this paper provide complete forensic and useful details of our current thinking on the use of malware in this operation. We have provided all factors that lead to our attribution.<\/p>\n<p><strong>Fuente:<\/strong> <a href=\"https:\/\/www.seqrite.com\/blog\/operation-sidecopy\/\" target=\"_blank\" rel=\"noopener\"><em>https:\/\/www.seqrite.com<\/em><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>El equipo de inteligencia de amenazas de Quick Heal descubri\u00f3 recientemente evidencia de una amenaza persistente avanzada (APT) contra las fuerzas de defensa indias. El&hellip; <\/p>\n","protected":false},"author":1,"featured_media":8123,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[2,23],"tags":[],"_links":{"self":[{"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=\/wp\/v2\/posts\/8119"}],"collection":[{"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8119"}],"version-history":[{"count":2,"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=\/wp\/v2\/posts\/8119\/revisions"}],"predecessor-version":[{"id":8125,"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=\/wp\/v2\/posts\/8119\/revisions\/8125"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=\/wp\/v2\/media\/8123"}],"wp:attachment":[{"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8119"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8119"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8119"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}