A cybercrime gang known as SideCopy has been discovered targeting Indian government officials as part of a large-scale attempt to infect victims with new custom remote access trojans (RATs), indicating a “boost in their development operations.”
The breaches led to the implementation of a number of modular plugins, ranging from file enumerators to browser credential stealers and keyloggers, according to the hacking group SideCopy (Xeytan and Lavao).
The targeting strategies and themes seen in SideCopy campaigns are remarkably similar to the Transparent Tribe APT (aka APT36), which is also targeting India, according to researchers Asheer Malhotra and Justin Thattil.
These include decoys posing as military and think tank operational documents, as well as honeytrap-based infestations.
SideCopy, which was first discovered in September 2020 by Indian cybersecurity firm Quick Heal, has a history of emulating the Sidewinder APT’s infection chains in order to deliver its own malware and avoid detection — all while constantly reconfiguring payloads to include additional exploits in its weaponry following a reconnaissance of the victim’s data and environment.
The attacker is also thought to be Pakistani, with ties to the Transparent Tribe (aka Mythic Leopard) group, which has been implicated in a number of strikes against Indian military and government targets.
The development of new RAT malware reveals that this group’s malware arsenal and post-infection techniques are continually evolving.
The enhancements show an effort to modularize the attack chains, as well as a rise in the sophistication of the group’s techniques.
SideCopy uses plugins to carry out specific malicious tasks on the infected endpoint, the most notable of which is a Golang-based module called “Nodachi,” which is designed to conduct reconnaissance and steal files targeting a government-mandated two-factor authentication solution called Kavach, which is required to access email services.
The main goal is to steal credentials from Indian government personnel in order to conduct espionage.
The attackers also created MargulasRAT droppers that appeared to be Kavach installers on Windows.