Introduction
SideCopy is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. SideCopyβs name comes from its infection chain that tries to mimic that of Sidewinder, a suspected Indian threat group. MalwareBytes SideCopy Dec 2021
Activities and Tactics
Country of Origin: π΅π° Pakistan
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
- T1614 System Location Discovery
- T1518.001 Security Software Discovery
- T1584.001 Domains
- T1105 Ingress Tool Transfer
- T1016 System Network Configuration Discovery
- T1608.001 Upload Malware
- T1106 Native API
- T1059.005 Visual Basic
- T1518 Software Discovery
- T1566.001 Spearphishing Attachment
- T1574.001 DLL
- T1204.002 Malicious File
- T1082 System Information Discovery
- T1598.002 Spearphishing Attachment
- T1036.005 Match Legitimate Resource Name or Location
- T1218.005 Mshta
ATT&CK technique IDs (denormalized)
- T1016
- T1036.005
- T1059.005
- T1082
- T1105
- T1106
- T1204.002
- T1218.005
- T1518
- T1518.001
- T1566.001
- T1574.001
- T1584.001
- T1598.002
- T1608.001
- T1614
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- CyberGate:
- Cyber Eye RAT:
MITRE ATT&CK Software
Attribution and Evidence
Country of Origin: Pakistan Additional attribution information pending cataloguing.
References
[1] mitre-attack [2] MalwareBytes SideCopy Dec 2021 Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.