SideCopy targeted Indian Government officials with new malware

by | July 17, 2021 | Uncategorized

SideCopy, a cyber-espionage group, has been observed increasingly targeting Indian Government staff as part of a large campaign to infect victims with the new custom remote access trojans (RATs), flagging a “boost in their development operations”!

Who are SideCopy?

  • The group was first discovered by Quick Heal (an Indian cybersecurity software company) in 2020, although has been active since 2019
  • It is believed to have Pakistan origins
  • They are an APT group (Advanced Persistent Threat); usually, APT groups are hackers that are backed by states and target countries’ infrastructure, national security mechanism and so on
  • “SideCopy uses themes designed to target military personnel in the Indian subcontinent. Many of the LNK files (a type of file that forensic investigators used to access metadata about recently accessed files, including deleted items) and decoy documents used in their attacks pose as internal, operational documents of the Indian Army”, according to a research.
  • They used tactics that are similar to another APT group called Transparent Tribe, whose existence has been traced back in 2013 by different security companies.

According to researchers Asheer Malhotra and Justin Thattil, “Targeting tactics and themes observed in SideCopy campaigns indicate a high degree of similarity to the Transparent Tribe APT (aka APT36) also targeting India. These include using decoys posing as operational documents belonging to the military and think tanks and honeytrap-based infections.”

  • SideCopy has a history of imitating infection chains implemented by the Sidewinder APT to provide its own set of malware in an attempt to deceive attribution and avoid detection.

What happened?

According to a report by the intelligence group Cisco Talos, SideCopy has expanded from the release of a C#-based RAT called CetaRAT, the Allakore Trojan, and njRAT to four new customized Trojans and two further utility RATs known as Lilith and Epicenter. Apart from military themes, SideCopy has also been making calls for proposals and job openings related to thin tanks in India to target potential victims.

SideCopy’s original infection chain employed maliciously.LNK files and.DDLs to install a Trojan on a victim’s device. Link baits will often relate to the Indian army operational, but the group also promises explicit photos of women. Himanshu Dubey, director of Quick Heal Security Labs, said that:

“Till now, this attack has been only seen targeting India. The Tactics, Techniques, and Procedures (TTP), as well as Decoy documents that we analyzed, were crafted specifically in Indian context”.

Malhotra and Thattil noted that “The development of new RAT malware is an indication that this group of attackers is rapidly evolving its malware arsenal and post-infection tools since 2019”.

However, SideCopy has also been observed to use plugins to perform specific malicious tasks on the infected endpoint, mainly a Golang-based module named “Nodachi,” which aims to detect and steal files targeting a government-mandated two-factor authentication solution named Kavach, that is required to access email services.

The purpose, it seems, is to steal access credentials from Indian government officials with a focus on espionage, the researchers said. In addition, the hackers developed a dropper for MargulasRAT that disguised as installers for Kavach on Windows.

Malware researcher @0xrb, who also independently traces the campaign, found two more IPs used by SideCopy attackers to connect to the command-and-control server: 103[.]255.7.33 and 115[.]186.190.155. Both of them are located in Islamabad, lending credence to the hacker’s Pakistani provenance.

The researchers concluded:

“What started as a simple infection vector by SideCopy to deliver a custom RAT (CetaRAT), has evolved into multiple variants of infection chains delivering several RATs. The use of these many infection techniques — ranging from LNK files to self-extracting RAR EXEs and MSI-based installers — is an indication that the actor is aggressively working to infect their victims.”

In an independent report shared with The Hacker News, cybersecurity company Quick Heal pointed out that the second wave of digital surveillance activities conducted by SideCopy participants targeted important public sector utilities (PSUs) from the telecommunications, power, and financial sectors in India.

The researchers noted that:

“The evidence […] suggests a highly organized operation designed to evade most security mechanisms,” the researchers said, adding the attackers “did detailed reconnaissance before launching the attack campaign” and “have enhanced the attack tools and methods, as compared to last year, to make detection difficult.”

Final words

India is going through a phase of increased cyberattacks for the past six months, with China and Pakistan posing as the attackers. Experts also recommended government authorities should make it mandatory and implement advanced cybersecurity.


Photo by Naveed Ahmed on Unsplash

by Andreea Popa

Content writer for Attack Simulator, delivering your daily dose of awareness for cyber security! Love to write passionately about any subject and my mainly inspiration are people's stories. You can also find me on social media, for some more friendly things!

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.