A cyber-espionage group is increasingly targeting Indian government personnel as part of a broad campaign to infect victims with as many as four new custom remote access trojans (RATs), signalling a "boost in their development operations."
Attributed to a group tracked as SideCopy, the intrusions culminate in deploying various modular plugins, ranging from file enumerators to browser credential stealers and keyloggers (Xeytan and Laval), Cisco Talos said in a report published Wednesday.
SideCopy has a history of mimicking infection chains to deliver its own set of malware. It was done in an attempt to mislead attribution and evade detection. While constantly retooling payloads that include additional exploits in its weaponry after a reconnaissance of the victim's data and environment.
The latest wave of attacks leverages various TTP, including malicious LNK files and decoy documents, to deliver a combination of bespoke and commercially available commodity RATs such as CetaRAT, DetaRAT, ReverseRAT, MargulasRAT, njRAT, Allakore, ActionRAT, Lillith, and Epicenter RAT. Apart from military themes, SideCopy has also found employing calls for proposals and job openings related to thinking tanks in India to target potential victims.
"The development of new RAT malware is an indication that this group of attackers is rapidly evolving its malware arsenal and post-infection tools since 2019," Malhotra and Thattil noted. The improvements demonstrate an effort to modularise the attack chains while also showing an increase in sophistication of the group's tactics, the researchers said.
Besides deploying full-fledged backdoors, SideCopy has also been observed utilising plugins to carry out specific malicious tasks on the infected endpoint. The goal, it appears, is to steal access credentials from Indian government employees with a focus on espionage, the researchers said, adding the threat actor developed droppers for MargulasRAT that masqueraded as installers for Kavach on Windows.
"What started as a simple infection vector by SideCopy to deliver a custom RAT (CetaRAT), has evolved into multiple variants of infection chains delivering several RATs," the researchers concluded. "The use of these many infection techniques — ranging from LNK files to self-extracting RAR EXEs and MSI-based installers — is an indication that the actor is aggressively working to infect their victims."
"Targeting tactics and themes observed in SideCopy campaigns indicate a high degree of similarity to the Transparent Tribe APT (aka APT36) also targeting India," researchers Asheer Malhotra and Justin Thattil said. "These include using decoys posing as operational documents belonging to the military and think tanks and honeytrap-based infections."
