A cyber-espionage group was found targeting Indian government officials as part of a broad campaign to infect victims with new custom remote access trojans (RATs), signaling a “boost in their development operations.”
The attacks are attributed to the hacking group, SideCopy and the intrusions lead to the deployment of a variety of modular plugins, ranging from file enumerators to browser credential stealers and keyloggers (Xeytan and Lavao).
According to the researchers Asheer Malhotra and Justin Thattil, the targeting tactics and themes viewed in SideCopy campaigns are very much similar to the Transparent Tribe APT (aka APT36) also targeting India. These include using decoys posing as operational documents belonging to the military and think tanks and honeytrap-based infections.
SideCopy which was first documented in September 2020 by Indian cybersecurity firm Quick Heal, has a history of mimicking infection chains implemented by the Sidewinder APT to deliver its own set of malware, in order to avoid detection — while constantly retooling payloads that include additional exploits in its weaponry after a reconnaissance of the victim’s data and environment.
The adversary is also believed to be of Pakistani origin, with suspected ties to the Transparent Tribe (aka Mythic Leopard) group, which has been linked to several attacks targeting the Indian military and government entities.
The development of new RAT malware indicates that this group is rapidly evolving its malware arsenal and post-infection tools. The improvements demonstrate an effort to modularize the attack chains, while also demonstrating an increase in sophistication of the group’s tactics.
SideCopy deploys full-fledged backdoors and was also found utilizing plugins to carry out specific malicious tasks on the infected endpoint, chief among which is a Golang-based module called “Nodachi” that’s designed to conduct reconnaissance and steal files targeting a government-mandated two-factor authentication solution called Kavach, which is required to access email services.
The main aim is to steal access credentials from Indian government employees with a focus on espionage. The attackers have also developed droppers for MargulasRAT that masqueraded as installers for Kavach on Windows.