Days after reports of unauthorized intrusions by Chinese state-sponsored actors targeting the Indian power sector, security researchers have uncovered a new cyberespionage campaign targeting government employees. A security investigation from Cisco Talos found increased cybercriminal activities of SideCopy threat actors group targeting government officials in India. The SideCopy gang was found distributing various malware campaigns intended to compromise targeted devices and steal sensitive data. After infecting the targeted source, the attackers deploy additional plugins like file enumerators, keyloggers, and credential-stealers to capture valuable information from government personnel.
The Evolution of the SideCopy Gang
SideCopy is an advanced persistent threat (APT) group active since 2019. The researchers stated that SideCopy is leveraging techniques that are similar to the Transparent Tribe APT group (also known as APT36) to deploy the malware. SideCopy extended its malicious operations and added new tactics to its arsenal. The researchers found different kinds of malware infections chains spreading customized remote access trojans (RATs) like Allakore, njRAT, and CetaRAT.
The Infection Chain
SideCopy group initiates its infection chain using malicious LNK files, followed by multiple HTAs and loader DLLs to deploy additional and final malware payloads. The researchers found the SideCopy campaign using new RATs and plugins including MargulasRAT, DetaRAT, ReverseRAT, and ActionRAT. In addition to the usage of custom RAT families, SideCopy also used other commodity RATs known as Lilith and Epicenter. The successful malware infection led to the installation of additional payloads and modular plugins to perform various malicious activities like keylogging, file enumeration, and browser password stealing.
“Recent activity from the group, however, signals a boost in their development operations. Talos has discovered multiple new RAT families and plugins currently used in SideCopy infection chains. Targeting tactics and themes observed in SideCopy campaigns indicate a high degree of similarity to the Transparent Tribe APT (aka APT36) also targeting India. These include using decoys posing as operational documents belonging to the military and think tanks and honeytrap-based infections,” Cisco Talos said.
In September 2020, cybersecurity solutions provider Quick Heal revealed evidence related to SideCopy’s cyberespionage campaign. Tracked as “Operation SideCopy,” the campaign targeted Indian Army personnel since 2019 to pilfer sensitive information. Researchers observed three infection chain processes in which attackers exploited equation editor vulnerability (CVE-2017-11882) as the initial infection vector. Read More Here…