BSidesCharm 2022 - The tribe and the copycat – A look into Pakistani APT campaigns in recent years

In recent years, there has been a substantial uptick in the intrusions attributed to Advanced Persistent Threat (APT) groups aligned with Pakistan. The two groups, ‘Transparent Tribe’ and ‘SideCopy’ have operated a variety of campaigns to realize the unified goal of espionage. Transparent Tribe is a well-established group, known to have operated since at least 2016. SideCopy however, is a relatively new threat actor in nascent stages of its life cycle – only disclosed recently, circa 2020. Using a combination of compromised and attacker owned infrastructure, the APTs have deployed bespoke malware against a variety of targets in the Indian sub-continent. Typical targets for the groups include government and military entities in Afghanistan and India. In this presentation we take a deep dive into the tactics, techniques and procedures (TTPs) used by both the groups over the course of the past two years. The presentation will start by showing the initial patterns and themes of malicious documents and lures used by the groups in 2020. The presentation will finish with an evolutionary analysis of Transparent Tribe and SideCopy’s tactics resulting in the deployment of their Windows malware implants. Asheer Malhotra (@asheermalhotra) Asheer is a threat researcher specializing in malware analysis, reversing, detection technologies and threat disclosures within Talos. He has been researching malware threats for about a decade at FireEye, Intel, McAfee and now at Talos. His key focus is tracking nation state attacks (APTs) across the world.