India under attack by rapidly-evolving advanced persistent threat actor SideCopy, says Cisco Talos

Gang is using custom RATs malware to target government employees, and has an interest in Pakistan, too


Cisco’s Talos security unit says it has detected an increased rate of attacks on targets on the Indian subcontinent and named an advanced persistent threat actor named SideCopy as the source.

The outfit on Wednesday posted that it has tracked “an increase in SideCopy’s activities targeting government personnel in India using themes and tactics similar to APT36 (aka Mythic Leopard and Transparent Tribe)”. SideCopy’s infrastructure, Talos opined, “indicates a special interest in victims in Pakistan and India,” as the malware used only initiates actions if it detects infections in those two countries.

The name SideCopy appears to have first been used by security firm Seqrite in a September 2020 analysis of previous attacks on Indian military targets. Seqrite said it has seen SideCopy activity from 2019.

Talos, in a 23-page report [PDF] on the matter, says the group has been active since 2018.

Whatever SideCopy’s age, Talos claims it has observed “a boost in their development operations”.

That increased effort to give Indian authorities grief has seen SideCopy spawn new remote access trojans – some of which use plug-ins to imbue them with additional functionality. Notable RATs loosed by SideCopy include:

  • MargulasRAT, a custom creation which masquerades as a VPN application from India’s National Informatics Centre;
  • CetaRAT, an oldie but a goodie;
  • DetaRAT, a previously unknown C#-based RAT that contains several RAT capabilities similar to CetaRAT;
  • ReverseRAT, a new C#-based reverse shell that also monitors removable drives. Based on CetaRAT;
  • ActionRAT: A Delphi-based RAT that resembles another well-known RAT named Allakorem, but goes about its business using different methods. Talso found a C#-based version, suggesting a port to Microsoft’s .Net platform.

The group is also using what Talos calls “commodity” trojans in its attacks.

Talos says SideCopy is slinging its RATS using “many infection techniques – ranging from LNK files to self-extracting RAR EXEs and MSI-based installers” and that the use of multiple tactics “is an indication that the actor is aggressively working to infect their victims”.

The Cisco unit feels “a focus on espionage” is evident.

Talos also suggests that SideCopy has more exploits in store. “This boost in SideCopy’s operations aided by multiple infection chains, RATs and plugins marks the group’s intent to rapidly evolve their tactics, techniques and procedures,” the report concludes. ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2021