A cyber-espionage group has been observed increasingly targeting Indian government personnel as part of a broad campaign to infect victims with as many as four new custom remote access trojans (RATs), signaling a “boost in their development operations.”
Attributed to a group tracked as SideCopy, the intrusions culminate in the deployment of a variety of modular plugins, ranging from file enumerators to browser credential stealers and keyloggers (Xeytan and Lavao), Cisco Talos said in a report published Wednesday.
Targeting tactics and themes observed in SideCopy campaigns indicate a high degree of similarity to the Transparent Tribe APT (aka APT36) also targeting India, researchers Asheer Malhotra and Justin Thattil said. These include using decoys posing as operational documents belonging to the military and think tanks and honeytrap-based infections.
First documented in September 2020 by Indian cybersecurity firm Quick Heal, SideCopy has a history of mimicking infection chains implemented by the Sidewinder APT to deliver its own set of malware — in an attempt to mislead attribution and evade detection — while constantly retooling payloads that include additional exploits in its weaponry after a reconnaissance of the victim’s data and environment.