Researchers at Cisco Talos have observed the Advanced Persistent Threat (APT) group SideCopy expanding their activity. The group is carrying out malware campaigns that are targeting entities in India for espionage purposes. The attackers have used malicious LNK files and documents to distribute their staple C#-based RAT in past attacks. Researchers are calling this malware CetaRAT. SideCopy also relies heavily on the use of Allakore RAT, a publicly available Delphi-based RAT. However, recent activity from the group shows signs of them boosting their development operations, and multiple new RATs have been discovered and used in the infection chain. Attacks from the group mimic those of the APT Transparent Tribe (APT36) who is also targeting India. These new attacks seen by SideCopy mimic the attacks from APT36 in an attempt to confuse researchers when investigating attacks. The infection chain in the new attacks has remained relatively the same, using malicious LNK files as entry points, followed by a convoluted infection chain involving multiple HTAs and loader DLLs to deliver the final payloads. Researchers also discovered the use of new Rats and plugins which include DetaRAT, ReverseRAT, MargulasRAT, and ActionRAT along with the use of commodity RATs such as njRAT, Lilith and, Epicenter.
When evaluating a Managed Detection & Response (MDR) service there are 5 critical components that