Operation XenoFiscal: SideCopy’s Precision Strike Against Afghanistan’s Financial Infrastructure

The Pakistan-linked threat actor known as SideCopy—operating under the broader strategic umbrella of Advanced Persistent Threats (APT) similar to Transparent Tribe (APT36)—has initiated a highly surgical spear-phishing campaign. The operation specifically targets the Afghanistan Ministry of Finance (MoF), with a focus on compromising all 34 provincial revenue directorates.

According to technical intelligence released by Seqrite, the campaign is characterized by a sophisticated, multi-stage infection chain designed to deploy a customized XenoRAT 1.8.7 implant. This malware communicates with resilient, bulletproof hosting infrastructure located in Europe to maintain command and control (C2).

The initial vector utilizes social engineering tailored to the local context. The attack begins with a ZIP archive containing a malicious LNK file. To increase the likelihood of execution, the attackers utilized a Pashto-language filename: “List of Employees Who Were Introduced to the Intellectual and Psychological Warfare Seminar.” By leveraging Pashto—the dominant administrative language in Afghanistan—the actors demonstrate significant pre-operational reconnaissance and cultural familiarity with the target’s social hierarchy.

Technical Deep Dive: The XenoRAT Deployment Chain

Infection Chain (Source: seqrite)
Figure 1: Detailed Malware Infection Chain (Source: Seqrite)

Upon execution, the malware immediately deploys a high-fidelity decoy document. This document contains a comprehensive staff directory for all 34 provinces, including names, titles, and mobile numbers of Finance Directors and Revenue Chiefs in both Dari and Pashto. This level of granularity indicates that the threat actor spent considerable time performing OSINT (Open Source Intelligence) prior to launch.

The technical execution of the malware is designed to evade traditional EDR (Endpoint Detection and Response) solutions through several layers of obfuscation and “Living-off-the-Land” (LotL) techniques:

  • Stage 1 (Execution & Fetching): The LNK file hijacks mshta.exe—a legitimate Windows utility—to act as a LOLBIN. It fetches a remote HTA payload from a compromised educational domain (abimj[.]edu[.]af), effectively masking malicious traffic as legitimate academic traffic.
  • Stage 2 (Obfuscation): The retrieved HTA delivers a heavily obfuscated JScript payload. This payload uses hex-encoded string arrays and a custom Base64 decoding routine to bypass static signature analysis and load a Loader DLL.
  • Stage 3 (Persistence): A .NET DLL is introduced, which drops a decoy PDF to distract the user. Simultaneously, it establishes registry-based persistence by creating a typosquatted value named “Edgre” to blend in with Microsoft Edge processes.
  • Stage 4 (Memory Injection): A second .NET shellcode loader pulls a disguised payload (ayui.vmxx). The malware then utilizes VirtualAlloc() and CreateThread() to reconstruct the payload entirely within the system’s RAM, minimizing the footprint on the physical disk.
  • Stage 5 (AMSI Bypass): To neutralize defensive scanning, the malware actively patches AmsiScanBuffer() to disable the Antimalware Scan Interface (AMSI), followed by using Assembly.Load for fully reflective, fileless execution.

The final payload, XenoRAT 1.8.7, establishes a connection to its C2 server via TCP. The communication is hardened using AES encryption and RTL-compressed traffic to evade network-level inspection. To prevent multiple infections on a single host, the actor uses the hardcoded mutex “clouda.” Once active, the RAT provides a full suite of espionage capabilities, including keylogging, real-time screen capture, webcam access, and SOCKS5 proxy tunneling for lateral movement.

Government Network Asset Identified via ASN (Source: seqrite)
Figure 2: Identification of Government Network Assets via ASN (Source: Seqrite)

Analysts note that this shift to XenoRAT represents an evolution in SideCopy’s toolkit, moving from AsyncRAT to more customized, open-source-based implants. Furthermore, the attackers have demonstrated tactical cleverness by staging malicious traffic alongside legitimate Afghan government assets (routing through AS58469). The primary C2 IP (185.235.137.106) is hosted via a Frankfurt-based bulletproof provider known to host SideCopy infrastructure.

Indicators of Compromise (IoCs)

Artifact Type SHA256 Hash
ZIP Archive 194B912C242604D6F9A79369F22338C58A13CE0CC2ED280CE505075808BC2F14
LNK File 3B4194BDFE40D94031A94B30397FFD8A4B09D0A4057668E897B8BDCD1703DD01
Decoy PDF DF9173A28C0B0B878C10A53D35CD7CE6F6ED66D207B6B7C4FF723721F1C027AB
ugayt.hta A63E90EE57A1F213A8FE76EF1A6CFF5AE9ED7EBCEDA258431533825E648C0C67
noway.bat 5833917BD137804F5A021D2CB37ADFE5C4B7B67DBB06D59C3B9C5CF393835E45
zuidrt.hta 99127C8C67D90E2776BEEB85281F9C68399BF4567B07A6B638D68B760212E88D
WayBroad.dll 8F2D979EF33B2900351C94C7335275A9342C75189E1A901998E90A539E944A1A
Aotestpass.dll 0019212F25EB04BBB33BB194879C095265DB7855D6003BDD777CF0CBB90EB772
XenoRAT 9AE3D785486022AF82EA92E51B26E3F55C1BBA88A7BE2AD9790F4240E8499D14

 

Related Articles

Back to top button