Description
[SideCopy](https://attack.mitre.org/groups/G1008) is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. [SideCopy](https://attack.mitre.org/groups/G1008)'s name comes from its infection chain that tries to mimic that of [Sidewinder](https://attack.mitre.org/groups/G0121), a suspected Indian threat group.(Citation: MalwareBytes SideCopy Dec 2021)
Techniques Used (TTPs)
- T1614 — System Location Discovery (discovery)
- T1518.001 — Security Software Discovery (discovery)
- T1584.001 — Domains (resource-development)
- T1105 — Ingress Tool Transfer (command-and-control)
- T1016 — System Network Configuration Discovery (discovery)
- T1608.001 — Upload Malware (resource-development)
- T1106 — Native API (execution)
- T1059.005 — Visual Basic (execution)
- T1518 — Software Discovery (discovery)
- T1566.001 — Spearphishing Attachment (initial-access)
- T1574.001 — DLL (persistence, privilege-escalation, defense-evasion)
- T1204.002 — Malicious File (execution)
- T1082 — System Information Discovery (discovery)
- T1598.002 — Spearphishing Attachment (reconnaissance)
- T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
- T1218.005 — Mshta (defense-evasion)
Total TTPs: 16
Malware & Tools
Malware: Action RAT, AuTo Stealer