8 July 2021

SideCopy cyber-espionage group updates its arsenal with new RATs


SideCopy cyber-espionage group updates its arsenal with new RATs

SideCopy, a cyber-espionage group, which mainly targets Indian army personnel, has increased its activity this year and added new malware tools to its arsenal, according to a new report from Cisco Talos.

Active since 2019, the group mimics the Sidewinder APT’s (a threat actor mainly targeting Pakistan military targets) infection chains to deliver their own malware.

Previous SideCopy’s campaigns involved malicious LNK files and documents delivering a custom C#-based malware dubbed CetaRAT by security researchers, as well as Allakore RAT, a publicly available Delphibased RAT. However, in recent campaigns the group has been observed using new plugins and RAT families, such as DetaRAT, ReverseRAT, MargulasRAT and ActionRAT. The APT group has also been observed using commodity RATs, including njRAT, Lilith and Epicenter.

“SideCopy campaigns indicate a high degree of similarity to the Transparent Tribe APT (aka APT36) also targeting India. These include using decoys posing as operational documents belonging to the military and think tanks and honeytrap-based infections,” Cisco Talos said.

The researchers noted that SideCopy’s infection chains have remained largely the same with minor variations - using malicious LNK files as entry points, followed by a convoluted infection chain involving multiple HTAs and loader DLLs to deliver the final payloads. If successful, the attack results in the installation of independent plugins with various capabilities, such as file enumeration, browser password stealing and keylogging.

Development of new RAT malware is an indication that the SideCopy cyber-espionage group is quickly evolving becoming more sophisticated, the researchers warned.


Back to the list

Latest Posts

Cyber Security Week in Review: December 20, 2024

Cyber Security Week in Review: December 20, 2024

In brief: A suspected Russian cyberattack hits Ukraine's state registries, new ICS malware targets Mitsubishi and Siemens systems, and more.
20 December 2024
Major phishing campaign abuses HubSpot to steal credentials from European firms

Major phishing campaign abuses HubSpot to steal credentials from European firms

The attackers exploited the service’s legitimate functionality to create convincing phishing pages.
19 December 2024
UAC-0125 malware campaign targeting Ukrainian military personnel

UAC-0125 malware campaign targeting Ukrainian military personnel

Victims are lured to fraudulent websites offering to download a malicious version of the Army+ app.
19 December 2024