SideCopy cybercriminals use new custom Trojans in attacks against India's military

SideCopy imitates Sidewinder, poaching the same infection chains to deliver different malicious tools.
Written by Charlie Osborne, Contributing Writer

The SideCopy advanced persistent threat (APT) group has expanded its activities, and now, new Trojans are being used in campaigns across India. 

The APT has been active since at least 2019 and appears to focus on targets of value in cyberespionage. Last year, Cyware said that SideCopy was involved in a number of attacks, including those targeting Indian defense forces and military personnel. 

On Wednesday, researchers from Cisco Talos said a recent surge in activity "signals a boost" in the APT's development of techniques, tactics, and tools, with multiple, new remote access trojans (RATs) and plugins now in play. 

An interesting aspect of SideCopy is the group's attempts to confuse security researchers by copying techniques usually reserved for Sidewinder, a separate APT believed to have attacked the Pakistani military and other targets across China. 

SideCopy has also taken reference from Transparent Tribe, also known as PROJECTM, APT36, or Mythic Leopard. This group also strikes at Indian government and military units; however, Transparent Tribe has recently shifted its focus to Afghanistan. 

According to Talos, SideCopy has expanded from the deployment of a C#-based RAT called CetaRAT, the Allakore Trojan, and njRAT to four new customized Trojans and two further commodity RATs known as Lilith and Epicenter. 

SideCopy's original infection chain used malicious .LNK files and .DLLs to deploy a Trojan on a victim's machine. Link lures will often relate to the Indian army operational; however, the group also uses honeytraps -- in particular, the promise of explicit photos of women.

However, since last year, SideCopy's attack chain has evolved to a .LNK file, three HTML application files, three loader .DLLs, and then multiple RATs -- including two versions of CetaRAT deployed in the same strike. Decoy documents and images may also be used in the initial stages of an attack. 

In other variations, such as an attack chain that was designed to deploy njRAT, the group used a dropper hidden in a self-extracting .RAR archive, and in others, the .LNK element is completely abandoned in favor of malicious .ZIP archives hosted on attacker-controlled websites.  

DetaRAT, ReverseRAT, and MargulasRAT are new Trojans joining CetaRAT. They contain typical functions for this kind of malware -- the creation of a link between a victim machine and a command-and-control (C2) server, data theft, process tampering, clipboard data stealing, and screenshot capture -- with the exception of ReverseRAT, which is a simple reverse shell and removable drive monitor. 

Once infected, plugins are also deployed, including functions such as enumeration, keylogging, and browser credential stealers. One set of plugins of note are "Nodachi," written in the Goland programming language and designed to steal files from an Indian multi-factor authentication (MFA) app called Kavach. 

"What started as a simple infection vector by SideCopy to deliver a custom RAT has evolved into multiple variants of infection chains delivering several RATs," Talos says. "The use of these many infection techniques -- ranging from LNK files to self-extracting RAR .exes and MSI-based installers -- is an indication that the actor is aggressively working to infect their victims."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards