Full Report
Authors: Dixit Panchal & Vaibhav Krushna Billade Table of Contents: Introduction: Key Targets: Infection Chain: Initial Findings about Campaign: Analysis of Decoy: Technical Analysis: Stage 1: Analysis of LNK File. Stage 2: Analysis of HTA/JavaScript Payload Stage 3: Analysis of Stage-1 Loader DLL Stage 4: Analysis of Stage-2 Loader DLL and Shellcode Stage 5: Analysis […] The post Operation XENOFISCAL: SideCopy deploying persistent XenoRAT targeting the MoF, Afghanistan appeared first on Seqrite Labs.
Analysis Summary
# Threat Actor: SideCopy
## Attribution & Identity
* **Actor Name:** SideCopy
* **Aliases:** None mentioned specifically, but identified as a cluster operating under the broader **Transparent Tribe (APT36)** umbrella.
* **Origin:** Pakistan-linked.
* **Confidence Level:** Medium-to-high confidence based on TTP overlaps.
## Activity Summary
* **Operation Name:** Operation XENOFISCAL (May 2024).
* **Campaign Overview:** A targeted spear-phishing campaign using a ZIP archive containing a malicious LNK file. The campaign utilized a multi-stage infection chain to deploy a persistent version of XenoRAT.
* **Historical Context:** SideCopy has a well-established history of targeting South Asian government and military entities, often mimicking the tools or themes of other actors (like Sidewinder) to complicate attribution.
## Tactics, Techniques & Procedures
* **Spear-phishing:** Use of ZIP files containing malicious LNK files with Pashto-language filenames to lure targets.
* **Living-off-the-Land (LotL):** Abuse of `mshta.exe` (T1218.005) to execute remote HTA/JavaScript payloads directly in memory.
* **Persistence:** Establishing Registry Run keys (T1547.001) camouflaged as legitimate Microsoft Edge entries and Scheduled Tasks (T1053.005).
* **Defense Evasion:**
* Excessive comma obfuscation in URLs.
* In-memory execution of JavaScript and reflective code loading (T1620).
* AMSI Bypass (T1562.001) and Process Injection (T1055).
* **Multi-Stage Loading:** A complex chain involving an HTA payload, a Stage-1 Loader DLL, a Stage-2 Loader DLL/Shellcode, and the final RAT payload.
## Targeting
* **Sectors:** Government, Finance, Revenue.
* **Geography:** Afghanistan (specifically provincial levels).
* **Victims:**
* Ministry of Finance (MoF), Islamic Emirate of Afghanistan.
* Provincial Revenue & Finance Directorates (Mustoufiats).
* Finance Directors, Revenue Chiefs, and provincial-level government employees.
## Tools & Infrastructure
* **Malware Families:**
* XenoRAT (v1.8.7) - An open-source C# Remote Access Trojan.
* **Infrastructure:**
* **Delivery/HTA Host:** Compromised Afghan educational domain (used to serve the `.hta` and `.php` files).
* **C2:** Bulletproof European hosting infrastructure (Netherlands/Russia frequently associated with this group, though "European" is the specific descriptor here).
* **Defanged IOCs:**
* `hxxp[:]//[compromised-afghan-edu-domain]/index.php`
* `ugayt.hta`
* `zuidrt.hta`
* `WayBroad.dll`
* `Aotestpass.dll`
## Implications
Operation XENOFISCAL demonstrates SideCopy’s high level of regional expertise, specifically their ability to craft lures in local languages (Pashto) and incorporate detailed internal organizational data (staff directories with mobile numbers). The shift to using open-source tools like XenoRAT combined with complex loader chains suggests a strategic move toward cost-effective yet highly stealthy persistence on target networks.
## Mitigations
* **Binary Execution Policy:** Restrict or monitor the use of `mshta.exe`, especially when reaching out to external or unknown URLs.
* **Email Filtering:** Block ZIP archives containing LNK files at the email gateway.
* **Registry Monitoring:** Audit changes to `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run` for suspicious or mimicked software names (e.g., "Microsoft Edge" for non-standard paths).
* **Endpoint Detection:** Implement behavioral rules to detect LNK files launching system utilities (LOLBAS) and in-memory script execution.