An APT group is known as SideCopy increasing its activities & targetting Indian Government officials through its new arsenal that contains remote access trojans (RATs) such as CetaRAT, Allakore, and njRAT.

The SideCopy campaign expansion is mainly operating with their own set of malware along with new RAT families that were customized to attack the specific set of entities in India.

Researchers encounter similarities of InSideCopy with Transparent Tribe APT aka APT36, and specifically targetting Indian officials using weaponized documents & dropping out the Remote Access trojans, also they keep on increasing its arsenal since 2019 and boost their development operations.

SideCopy APT Infection chain

Cisco Talos researchers found that the initial stage of infection pulled out from the remote location to target the victims with several RAT families such as DetaRAT, ReverseRAT, MargulasRAT, and ActionRAT it also includes some of the commodity RATs known as “Lilith” and “Epicenter.”

This APT also use some of the artifacts and infection vectors that identical to the Sidewinder APT group and the attackers using malicious LNK files as entry points and continue its infection chain with multiple HTAs and loader DLLs to deliver the final

The infection starts by delivering archive files to the victim’s windows machine that contain weaponized LNK files and the files are forge for victims to click on it and open the files where the malware starts infecting the systems.

During the malware analysis phase, researchers felt extremely hard to understand the combination of malicious HTML Application files (HTA) and DOT NET-based loader DLLs that drops the CetaRAT and Allakore malware families on endpoint systems.

According to Cisco Talos report “Researchers saw the attackers improve their infection chains. These infections also begin with malicious LNK files delivered to the victims. However, what follows is a combination of three HTA files, three loader DLLs, two instances of CetaRAT in some cases, and Allakore.”

Allakore family has a variety of malicious capabilities, including Upload and download files, Capture screenshots from the endpoint., Enumerate directories and files, Keylogging Steal current clipboard data.

Latest SideCopy infection chain.

At the end of the successful infection, the malware installs the independent plugins to serve specific purposes such as file enumeration, browser password-stealing & keylogging.

These plugins are Performing enumerate, download and upload files on the endpoint from/to the C2 and perform the keylogging activities, stealing browser credentials and more.

Cisco researchers also found a GoLang-based component we’re calling “Nodachi.” that refers to stealing different types of data, including internet browsers, credential managers, and some sysadmin tools from the victim’s endpoint.

“The use of these many infection techniques — ranging from LNK files to self-extracting RAR EXEs and MSI-based installers — is an indication that the actor is aggressively working to infect their victims. This threat actor is also rapidly evolving its malware set using a combination of custom and commodity RATs and plugins. The variety of post-infection plugins specifically used by the attacker signifies a focus on espionage.” Researchers said.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.