A cyber threat group linked to Pakistan, known as SideCopy, has executed a targeted attack on Afghanistan’s Ministry of Finance using a remote access tool called XenoRAT. This operation, named Operation XENOFISCAL, focused on Afghanistan’s provincial finance offices, known as Mustoufiats, which play a crucial role in the country’s financial administration.
Operation XENOFISCAL Unveiled
The cyberattack commenced with a spear phishing attempt that delivered a ZIP archive. Within this archive was a malicious shortcut file, cleverly disguised as a PDF document with a filename in Pashto, the primary language of Afghan government officials. The deceptive file masqueraded as a list of seminar invitees, suggesting that the attackers had a deep understanding of their targets’ professional environment.
Analysts from Seqrite, in collaboration with Cyber Security News, traced this attack to the SideCopy APT cluster with moderate to high certainty. This group is known to operate under the broader Transparent Tribe umbrella, or APT36, which has a history of targeting governmental bodies in South Asia. Seqrite Labs has been monitoring this threat as part of their global efforts to track spear phishing campaigns.
Technical Aspects of the Attack
When the victim engaged with the shortcut file, the malware exploited a legitimate Windows utility, mshta.exe, to connect to a compromised Afghan educational domain and retrieve a remote payload. This approach, known as Living-off-the-Land, allows cybercriminals to use existing system tools to circumvent security measures. Subsequently, the malware decoded JavaScript within memory and embedded itself into the Windows Registry, camouflaging its persistence as a Microsoft Edge process.
The culmination of the attack saw the deployment of XenoRAT 1.8.7, an open-source remote access trojan, which established an encrypted connection to a server in Frankfurt, Germany. This server acted as a command-and-control hub, separate from the initial delivery domain to ensure sustained access even if initial defenses were compromised.
Strategic Implications and Recommendations
The attack was methodically structured across five stages, each designed to evade detection. The final payload exploited reflective loading to execute without writing to disk, complicating its identification by traditional antivirus systems. XenoRAT, once active, connected using encrypted TCP traffic and maintained persistence using both scheduled tasks and registry keys.
The attackers demonstrated prior knowledge by dropping a legitimate Afghan Ministry of Finance staff directory during execution, indicating reconnaissance through previous breaches. The use of local Afghan infrastructure for payload delivery helped the malware blend with legitimate traffic, evading standard network security tools.
Conclusion and Security Measures
Security professionals are advised to monitor for abnormal mshta.exe activities, unexpected registry entries mimicking system processes, and outbound traffic to unfamiliar European servers. Implementing application allow-listing, routine audits of scheduled tasks, and restricting HTA execution from public directories are recommended preventative measures. Seqrite has released specific detection signatures to aid in identifying compromised systems.
Indicators of Compromise (IoCs) suggest a high level of sophistication in both execution and planning. Security teams must remain vigilant and proactive to counter such evolving threats.
