Researchers at Cisco Talos have observed the Advanced Persistent Threat (APT) group SideCopy expanding their activity. The group is carrying out malware campaigns that are targeting entities in India for espionage purposes. The attackers have used malicious LNK files and documents to distribute their staple C#-based RAT in past attacks. Researchers are calling this malware CetaRAT. SideCopy also relies heavily on the use of Allakore RAT, a publicly available Delphi-based RAT. However, recent activity from the group shows signs of them boosting their development operations, and multiple new RATs have been discovered and used in the infection chain. Attacks from the group mimic those of the APT Transparent Tribe (APT36) who is also targeting India. These new attacks seen by SideCopy mimic the attacks from APT36 in an attempt to confuse researchers when investigating attacks. The infection chain in the new attacks has remained relatively the same, using malicious LNK files as entry points, followed by a convoluted infection chain involving multiple HTAs and loader DLLs to deliver the final payloads. Researchers also discovered the use of new Rats and plugins which include DetaRAT, ReverseRAT, MargulasRAT, and ActionRAT along with the use of commodity RATs such as njRAT, Lilith and, Epicenter.
Analyst Notes
SideCopy has been known to carry out attacks against India in their previous campaigns. Like in other campaigns, the group will use methods that are similar to other APTs to try and mask their attack and trip up researchers that are investigating incidents. Cisco Talos is releasing IOCs based on what they have seen to help companies identify if they have been part of an attack from SideCopy. Companies should analyze the IOCs to see if they have been a victim of an attack from this group, especially if they are based in India. Utilizing a monitoring service such as Binary Defenses Managed Detection and Response will also help companies in identifying if they are being targeted in an attack and mitigate any infections quickly to stop them from spreading.
https://blog.talosintelligence.com/2021/07/sidecopy.html?m=1
