Campaigns
Operations From APT36 To Government Agencies

Operations From APT36 To Government Agencies

APT36SideCopyTransparent TribeEarth KarkaddanSteppy KavachOperation C-Major
APT36 is an advanced persistent threat group attiributed to Pakistan taht primarilly targets users working at Indian government organizations.SideCopy APT is a Pakistani threat actor operating since at least 2019,targeting mainly South Asian countries and more specifally India and Afghanistan.

Indicators of Compromise

tt1.apktrial.com
supremo-portal.in
nsdrive-phone.online
centralink.online
cloud-drive.store
www.ksboard.in
ksboard.in
s1.fileditch.ch
cloud-drive.geo-news.tv
drive-phone.geo-news.tv
meetup-chat.com
studentsportal.co
studentsportal.live.geo-news.tv
geo-news.tv
studentsportal.geo-news.tv
studentsportal.live
phone-drive.online.geo-news.tv
ns1.vebhost.com
user-onedrive.live
statefinancebank.com
meetsapp.org
govscholarships.in
in.statefinancebank.com
ns2.vebhost.com
share-lienk.info
incometaxdelhi.org
digitalrecovery.com
drive-phone.online
rodra.in
vebhost.com
user-onedrive.geo-news.tv
zainhosting.net
www.rodra.in
rodra.gov.in
studentsportal.website
phone-drive.online
sharing1.filesharetalk.com
sngpl.org.pk
fia-gov.org
nationalhelpdesk.pk
mofa-pk.org
customs-lk.org
www.cornerstonebeverly.org
kavachguide.com
wzxdao.com
kavach-app.com
kavachsupport.com
kavach.mail.nic-updates.in
hpuniversity.in
acmarketsapp.com
get-kavach.in
kavach-app.in
ncloudup.com
kavachdownload.in
nic-updates.in
cornerstonebeverly.org
kcps.edu.in
xlapp.workbooks.open
gcloudsvc.com
getkavach.com

APT Groups2

SideWinder
RAZORTIGERRattlesnakeAPT-C-17T-APT-04
SideCopyPakistan
SideCopy

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

Remediations
Steps Need to Take to Recover from a Phishing Attack
Below are some of the key steps that you will need to take to recover from a phishing attack, safeguard your data and prevent any further disruption to your business.

Step 1. Disconnect Your Device from the Internet
In order to reduce the risk of malware propagating throughout your network, the first step to take is to disconnect your device from the network. Either locate your Wi-Fi settings and disconnect from the network or simply unplug the internet cable from your device.

Step 2. Change Your Passwords
If you were redirected to a spoof website and asked to enter your credentials, the first thing you should do is go to the real website and change your passwords. Although not recommended, many people still use the same credentials for multiple accounts. If this is the case, you should change the passwords on all accounts that use the same credentials. It might also be worth changing your password hints and security questions. To be extra careful, you should carry out a company-wide password reset.

Step 3. Scan Your Network for Malware
While your anti-virus software will do its best to inform you if you have been infected, these solutions are not fool-proof. You should conduct a full scan of your network for malware, including all devices, files, applications, servers, etc.

Step 4. Check for Signs of Identify Theft
If you believe that you have been the victim of a phishing scam, you should review all relevant accounts for signs of identity theft. For example, you will need to look at your bank statements for suspicious transactions. In most cases, your bank will alert you of any suspicious account activity. You should also notify the relevant credit reporting agencies. In the United States, the three major credit reporting agencies are TransUnion, Equifax, and Experian.

Step 5. Speak to Employees About What Happened
You will need to ask all relevant personnel about what they saw and when. Did they see anything suspicious? Did they click on a link or download an attachment?

Step 6. Conduct a Forensic Analysis to Determine the Cause of the Incident
This is the point where you scrutinize all relevant logs for signs of compromise, and you must also ensure that your logs are retained for a sufficient period of time. You will need to check your firewall logs for any suspicious network traffic – taking note of any unrecognized URLs and IP addresses. You will also need to review your mail server logs to see who received the phishing email, as well as your DNS logs to determine which users did a lookup on any malicious domains. It’s also a good idea to take a copy of the phishing email, and review the headers and attachments for clues about the nature and purpose of the attack. Finally, if you are using a real-time auditing solution, check the logs for any suspicious activity associated with sensitive data and privileged user accounts.

Step 7: Adjust Spam Filters to Block Similar Emails
Once you have an idea about what happened, you can review your email security settings to ensure that similar messages are blocked.

Step 8: Carry Out a Web Search for More Information About the Attack
Now that you have collected a sufficient amount of information about the nature and purpose of the attack, you should perform a web search to gather more information about what to expect, including any further steps that should be taken to recover from the incident and prevent future attacks.

Step 9: Ensure that All Employees are Made Aware of the Incident
In order to mitigate future attacks, you should ensure that all relevant personnel (including managers) have been informed about the attack and know what to look out for.

Step 10. Contact the Organization that was Spoofed
If the phishing email was pretending to be from a legitimate organization, you should contact the organization and inform them of the incident. That way, the organization in question can send an email to their customers, advising them to be on guard. It’s also a good idea to let the organization know that you have changed your password.

11. Report the Incident to the Federal Trade Commission (FTC)
Residents of the United States should contact the FTC following a phishing attack. They will help you determine what information (if any) was stolen and give you advice about what to do next.

12. Take a Backup and Update Your Software
It’s a good idea to take a backup of your data following a cyber-attack in case any of your data gets erased during the remediation process. You will also need to ensure that all software is patched in a timely manner as many forms of malware will try to exploit software vulnerabilities in order to spread to other parts of the network.

Reports & References2

Observed Countries33

AE (687)
AF (961)
AT (410)
AU (401)
AZ (928)
BE (309)
BG (282)
BW (106)
CA (587)
CN (379)
CZ (331)
DE (839)
ES (103)
GB (574)
IN (945)
IR (167)
JP (963)
KE (548)
KZ (37)
LK (215)
MN (591)
MY (604)
NL (729)
NP (157)
OM (158)
PK (958)
RO (771)
SA (161)
SE (552)
SG (403)
TH (19)
TR (263)
US (806)