A cyber-espionage gang has been seen increasingly targeting Indian government officials as part of a more significant attempt to infect innocent victims with their four new custom remote access Trojans(RATS) that indicate a “boost in their development operations.” And according to Cisco Talos, the breaches are connected to a group known as SideCopy, which has a history of imitating infection chains used by the Sidewinder APT to deliver its malware in an attempt to mislead attribution and avoid detection while continually retooling payloads to include additional exploits in its weaponry after a survey of the victim’s data and environment and this is the first documentation in September 2020 by the Indian cybersecurity firm Quick Heal. Several modular plugins, ranging from file enumerators to browser credential stealers and keyloggers, are distributed by this trojan.
SideCopy attackers used two more IPs to connect to the command-and-control server, both located in the city of Islamabad, lending credence to the threat actor’s Pakistani provenance. Malware researcher @0xrb, who is also independently tracking the campaign, reached out to The Hacker News with two more IPs used by SideCopy attackers to connect to the command-and-control server — 103[.]255.7.33 and 115[.]186.190.155.
According to researchers Asheer Malhotra and Justin Thattil, “The targeted methods and themes which are seen in SideCopy ads are quite similar to the Transparent Tribe APT are also targeting India and these include decoys posing as military and think tank operational documents, as well as honeytrap-based infections.” In addition to military themes, SideCopy has been discovered using calls for proposals and job ads related to Indian think tanks to target potential victims. It has been seen using plugins to carry out specific malicious tasks on infected endpoints, the most notable of which is a Golang-based module called “Nodachi,” which is designed to conduct surveillance and steal files targeting a government-mandated two-factor authentication solution called Kavach, which is required to access email services.
The opposition is also thought to be Pakistani, tied to the Transparent Tribe group, which has been implicated in several strikes against Indian military and government targets. The threat actor has previously targeted Indian defense units and armed forces employees with malware capable of accessing files, copying data, stopping processes, and even executing random instructions using government and military-related tricks.
“Since 2019, this group of attackers has been quickly expanding their malware arsenal and post-infection techniques,” Malhotra and Thattil said. According to the experts, the advances show an effort to modularize the assault chains and an increase in the sophistication of the group’s techniques. RATs such as CetaRAT, DetaRAT, ReverseRAT, MargulasRAT, njRAT, Allakore, ActionRAT, Lillith, and Epicenter RAT are used in the latest wave of attacks, which use a variety of TTP, including malicious LNK files and decoy documents, to deliver a mix of bespoke and commercially available commodity RATs.
According to the researchers, the purpose appeared to be to acquire access credentials from Indian government officials with an emphasis on espionage, who added that the threat actor produced MargulasRAT droppers that posed as Kavach installers on Windows.
“What began as a basic infection vector developed by SideCopy to transmit a custom RAT (CetaRAT) has expanded into several kinds of infection chains delivering multiple RATs,” the researchers concluded. “As indicated by the use of these many infection strategies, which vary from LNK files to self-extracting RAR EXEs and MSI-based installers, the actor is aggressively attempting to infect their victims.”