A cyber-espionage group has been observed increasingly targeting Indian government personnel as part of a broad campaign to infect victims with as many as four new custom remote access trojans (RATs), signaling a “boost in their development operations.”
Attributed to a group tracked as SideCopy, the intrusions culminate in the deployment of a variety of modular plugins, ranging from file enumerators to browser credential stealers and keyloggers (Xeytan and Lavao), Cisco Talos said in a report published Wednesday.
“Targeting tactics and themes observed in SideCopy campaigns indicate a high degree of similarity to the Transparent Tribe APT (aka APT36) also targeting India,” researchers Asheer Malhotra and Justin Thattil said. “These include using decoys posing as operational documents belonging to the military and think tanks and honeytrap-based infections.”
First documented in September 2020 by Indian cybersecurity firm Quick Heal, SideCopy has a history of mimicking infection chains implemented by the Sidewinder APT to deliver its own set of malware — in an attempt to mislead attribution and evade detection — while constantly retooling payloads that include additional exploits in its weaponry after a reconnaissance of the victim’s data and environment.
The adversary is also believed to be of Pakistani origin, with suspected ties to the Transparent Tribe (aka Mythic Leopard) group, which has been linked to several attacks targeting the Indian military and government entities. Past campaigns undertaken by the threat actor involve using government and military-related lures to single out Indian defense units and armed forces personnel and deliver malware capable of accessing files, clipboard data, terminating processes, and even executing arbitrary commands.
The latest wave of attacks leverages a multitude of TTPs, including malicious LNK files and decoy documents, to deliver a combination of bespoke and commercially available commodity RATs such as CetaRAT, DetaRAT, ReverseRAT, MargulasRAT, njRAT, Allakore, ActionRAT, Lillith, and Epicenter RAT. Apart from military themes, SideCopy has also been found employing calls for proposals and job openings related to think tanks in India to target potential victims.
“The development of new RAT malware is an indication that this group of attackers is rapidly evolving its malware arsenal and post-infection tools since 2019,” Malhotra and Thattil noted. The improvements demonstrate an effort to modularize the attack chains, while also demonstrating an increase in sophistication of the group’s tactics, the researchers said.
Besides deploying full-fledged backdoors, SideCopy has also been observed utilizing plugins to carry out specific malicious tasks on the infected endpoint, chief among which is a Golang-based module called “Nodachi” that’s designed to conduct reconnaissance and steal files targeting a government-mandated two-factor authentication solution called Kavach, which is required to access email services.
The goal, it appears, is to steal access credentials from Indian government employees with a focus on espionage, the researchers said, adding the threat actor developed droppers for MargulasRAT that masqueraded as installers for Kavach on Windows.
Malware researcher @0xrb, who is also independently tracking the campaign, reached out to The Hacker News with two more IPs used by SideCopy attackers to connect to the command-and-control server — 103[.]255.7.33 and 115[.]186.190.155 — both of which are located in the city of Islamabad, lending credence to the threat actor’s Pakistani provenance.
“What started as a simple infection vector by SideCopy to deliver a custom RAT (CetaRAT), has evolved into multiple variants of infection chains delivering several RATs,” the researchers concluded. “The use of these many infection techniques — ranging from LNK files to self-extracting RAR EXEs and MSI-based installers — is an indication that the actor is aggressively working to infect their victims.”