The SideCopy group, a known advanced persistent threat (APT) group, has expanded its arsenal and is now spreading new malware in various campaigns across India.
The group has been active since at least 2019. It is believed that it is focused on spearphishing and cyberespionage. Last year, Cyware reported attacks by SideCopy targeting Indian defense forces and military personnel.
Researchers from Cisco Talos noticed an uptick in activity in APT showing that the group is developing new techniques and tools, among them several new remote access Trojans (RATs) and plugins.
According to a new report, SideCopy hackers like copying techniques that are usually used by Sidewinder, another APT that has attacked the Pakistani military and other targets in China. It does so to confuse security researchers.
SideCopy also mimics Transparent Tribe APT (PROJECTM, APT36, or Mythic Leopard), which is mainly focused on attacking Indian, and since recently – Afghanistani, military units and government institutions.
Having used CetaRAT, the Allakore Trojan, and njRA in the past, SideCopy has expanded its range of RATs by adding four new customized Trojans and two commodity RATs known as Lilith and Epicenter.
The APT’s original infection chain used .LNK files and .DLLs to create a Trojan that could execute on a victim’s machine. Since last year, SideCopy has evolved its attack chain to a multi-pronged attack that consists of a .Lnk file, three HTML applications, three loader .DLLs, and several RATs. In other variations, the group deployed an attack chain that deployed njRAT and used a self-extracting .RAR archive and .ZIP archives instead of the .LNK files.
Researchers say besides CetaRAT, attackers now are using DetaRAT, ReverseRAT, and MargulasRAT. They are capable of various types of exploitation, such as loading additional plugins, data theft, process tampering, screenshot capture, enumeration, keylogging, and browser credential stealing. One plugin, “Nodachi,” written in the Goland programming language is designed to steal files from Kavach, an Indian multi-factor authentication (MFA) app.
“What started as a simple infection vector by SideCopy to deliver a custom RAT has evolved into multiple variants of infection chains delivering several RATs,” Talos says. “The use of these many infection techniques — ranging from LNK files to self-extracting RAR .exes and MSI-based installers — is an indication that the actor is aggressively working to infect their victims.”
