Contents:
An advanced persistent threat (APT) group dubbed SideCopy that predominantly targets Indian army personnel has increased its activity this year and is currently using new custom Remote Access Trojans (RATs) in operations across India.
The APT group has been operational since at least 2019 and seems to focus on targets of value in cyberespionage. Last year, Cyware said that SideCopy was behind a number of cyberattacks, including those targeting Indian defense forces and military officials.
In a report published on Wednesday, intelligence group Cisco Talos stated a recent rise in activity indicates an expansion in the advanced persistent threat (APT) SideCopy’s development of approaches, strategies, and tools with many new remote access trojans (RATs) and functional plugins.
SideCopy Imitates Sidewinder and Transparent Tribe APT’s
SideCopy group has a history of imitating infections chains put into practice by the Sidewinder APT to deliver its own set of malware — in an attempt to confuse cybersecurity researchers.
SideCopy has also taken reference from Transparent Tribe, also known as PROJECTM, APT36, or Mythic Leopard.
According to The Hackers News, the group has been associated with multiple attacks targeting the Indian military and government organizations. Previous operations undertaken by Transparent Tribe involve using government and military-related lures to single out Indian defense units and armed forces personnel and deliver malware capable of accessing files, clipboard data, terminating processes, and even executing arbitrary commands.
The Thalos report indicates SideCopy has expanded from the deployment of a C#-based RAT called CetaRAT, the Allakore Trojan, and njRAT to four new customized Trojans and two further commodity RATs known as Lilith and Epicenter.
SideCopy’s original infection chain employed malicious .LNK files and .DLLs to install a Trojan on a victim’s device. Link lures will frequently relate to the Indian army operational, but the group also promises explicit photos of women.
Four New Custom Remote Access Trojans (RATs)
The latest wave of attacks uses a large number of TTPs, including malicious LNK files and decoy documents, to deliver a combination of Remote Access Trojans RATs such as CetaRAT, DetaRAT, ReverseRAT, MargulasRAT, njRAT, Allakore, ActionRAT, Lillith, and Epicenter RAT.
Apart from army topics, SideCopy has also been observed employing calls for proposals and job openings related to Indian think tanks in order to target potential victims.
Besides deploying completely developed backdoors, SideCopy is also using plugins to perform specific malicious actions on the affected endpoint.
This is a Golang-based module called “Nodachi” that’s created to carry out reconnaissance and steal files from an Indian multi-factor authentication (MFA) app called Kavach.
Talos concluded:
What started as a simple infection vector by SideCopy to deliver a custom RAT has evolved into multiple variants of infection chains delivering several RATs. The use of these many infection techniques — ranging from LNK files to self-extracting RAR .exes and MSI-based installers — is an indication that the actor is aggressively working to infect their victims.