NEW DELHI: An advanced persistent threat (APT) group that predominantly targets Indian army personnel has increased its activity this year. The group, which was first discovered by antivirus maker Quickheal in 2020, has expanded operations and added to its arsenal of infection techniques, targeting government officials and the Kavach application built by the National Informatics Centre (NIC) for accessing government emails.
According to intelligence group Cisco Talos, the APT group known as SideCopy has added new remote access trojans (RATs) to their arsenal and the group observed an “expansion in activity” of the group’s malware campaigns targeting entities in India. “SideCopy uses themes predominantly designed to target military personnel in the Indian subcontinent. Many of the LNK files and decoy documents used in their attacks pose as internal, operational documents of the Indian Army,” the research said. The attackers have “special interest” in victims from India and Pakistan.
The tactics used by the group are similar to another APT group called Transparent Tribe, whose existence has been traced back as far as 2013 by various security firms. Security firm Proofpoint had found malicious emails sent to Indian embassies in Saudi Arabia and Kazakhstan back in 2016.
“More recently in 2021, we have seen an increase in attempts to infect their victims. Their proliferation is also evident from the fact that we’ve discovered multiple RATs and malicious plugins now being used by SideCopy,” a Asheer Malhotra, Research Engineer at Talos told Mint.
The attackers used multiple government documents and policy documents from various related firms to infect victims. Talos found decoy documents imitating research papers from Centre for Joint Warfare Studies and one posing as an advertisement for a call for proposals for the Chair of Excellence 2021 for the Centre for Land and Warfare Studies (CLAWS). It also uses calls for job openings for think tanks in India to target potential victims. One infection also posed as a seniority list of Indian Army as recently as 2021.
“The presence of a variety of decoy documents and file names pertaining to military, diplomatic and govt-based think tanks indicates a specific targeting of these entities,” Malhotra said.
SideCopy uses such malicious documents to deliver malicious LNK files to victims, which is a type of file that forensic investigators used to access metadata about recently accessed files, including deleted items. They also use RATs to gain unauthorized access to users’ devices, adding four new custom RATs and two that malware researchers have seen before.
One of these RATs, called Epicenter, can block the victim’s mouse and keyboard inputs and take screenshots of their work. Once infected, SideCopy also uses tools like keyloggers, file enumerators and others to steal data from victims. They also target web browsers like Chrome and Opera, and apps like CCleaner. They deliver these malware to victims through fake websites or using compromised websites.
“Credentials extracted from any of these browsers installed on the endpoint are then written to a temporary log file on disk and subsequently exfiltrated to a DropBox location,” the report said. Another new component of the attacks steals credentials for Kavach, the NIC’s authentication system for government officials.
Never miss a story! Stay connected and informed with Mint.
our App Now!!