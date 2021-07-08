



Cisco’s Talos security unit said it detected an increased rate of attacks against targets on the Indian subcontinent and named an advanced persistent threat actor named SideCopy as the source. Wednesday’s outfit posted that he followed an increase in SideCopys activities targeting government personnel in India using similar themes and tactics to APT36 (aka Mythic Leopard and Transparent Tribe). The SideCopys infrastructure, according to Talos, indicates a particular interest in victims in Pakistan and India, as the malware used only triggers actions if it detects infections in those two countries. The name SideCopy appears to have been used for the first time by security company Seqrite in a September 2020 Analysis of previous attacks on Indian military targets. Seqrite said they saw SideCopy activity as of 2019.







Talos, in a 23 pages report [PDF] in the matter, specifies the group active since 2018. Regardless of SideCopys’ age, Talos says they have seen an increase in their development operations. This increased effort to harm Indian authorities has seen SideCopy spawn new remote access Trojans some of which use plugins to imbue them with additional functionality. Notable RATs released by SideCopy include: MargulasRAT, a custom creation that masquerades as a VPN app from the National Computer Center of India;

CetaRAT, an old but a goodie;

DetaRAT, a previously unknown C #-based RAT that contains several RAT capabilities similar to CetaRAT;

ReverseRAT, a new C # based reverse shell that also monitors removable drives. Based on CetaRAT;

ActionRAT: A Delphi-based RAT that looks like another well-known RAT named Allakorem, but operates using different methods. Talso found a C # based version, suggesting a port to the Microsofts .Net platform. The group also uses what Talos calls Trojans in their attacks. Talos says SideCopy is using its RATS using many infection techniques ranging from LNK files to self-extracting RAR EXEs and MSI-based installers and that using multiple tactics is an indication that the actor is working aggressively. to infect its victims.







The Cisco unit believes it is obvious that the focus is on espionage. Talos also suggests that SideCopy has more exploits in store. This increase in SideCopys operations aided by multiple infection chains, RATs and plugins signals the groups’ intention to rapidly evolve their tactics, techniques and procedures, the report concludes.

