Researchers from Cisco’s Talos intelligence has observed a SideCopy malware extending its campaign against Indian entities with the behavior mimicking Transparent Tribe APT (aka APT36) variant.

The initial infection vector of this SideCopy malware seems to be using the malicious LNK files for the entry point followed with HTA and DLL based attacks for delivering the final payload.

Source: Talos

“Talos also discovered the usage of other new RATs and plugins. These include DetaRAT, ReverseRAT, MargulasRAT and ActionRAT. We’ve also discovered the use of
commodity RATs such as njRAT, Lilith and Epicenter by this group since as early as 2019.”
reads the report.

Source: Talos

Researchers also revealed that this particular strain has the capability to utilize modular plugins to execute malicious tasks like upload/download of the file, keyloggers, Browser based credential stealers and a Nodachi plugin, which has the capability to do reconnaissance and file stealing capabilities targeting indian users via MFA app called “Kavach” along with other malware families capabilities.

Adversaries operations:

  • Their preliminary infection chains involve delivering their staple RATs.
  • Successful infection of a victim leads to the introduction of a variety of modular plugins.
  • The development of new RATs is an indication that this group of attackers is rapidly evolving its malware arsenal and post-infection tools since 2019.
  • The group’s current infrastructure setup indicates a special interest in victims in Pakistan and India.

Besides all these, SideCopy also uses the honeytrap technique to lure the victims by displaying the explicit photos of women over the malicious LNK file which delivers CetaRat and Allakore which is similar to the behavior of APT36 (Transparent Tribe) which extensively targeted India’s military with the CrimsonRAT.

Researchers also observed that this specific SideCopy variant clones the legitimate websites which actually delivers the malicious content to its visitors. Apart from that, multiple phishing portals handled by SideCopy threatactors also discovered which poses as GOI(Government of India’s) webmail to trick victims for stealing the credentials.

What started as a simple infection vector by SideCopy to deliver a custom RAT (CetaRAT), has evolved into multiple variants of infection chains delivering several RATs. The use of these many infection techniques — ranging from LNK files
to self-extracting RAR EXEs and MSI-based installers — is an indication that the actor is aggressively working to infect their victims.”
Concludes the report.

Researchers have given the detailed IOC’s lists for security researchers and organization to incorporate on their security monitoring devices.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s