SideCopy & APT36 Strike Again: Indian Government Under Fire
In recent weeks, there has been an intensification of cyberattacks on Indian government bodies, initiated by groups linked to Pakistan. The analytical team at Seqrite Labs has identified several campaigns in which remote access trojans (RAT) were actively employed. Experts have confirmed a connection between the groups SideCopy and Transparent Tribe (APT36), noting similarities in their code and shared use of the same C2 infrastructure.
It is noted that the SideCopy group utilized AllaKore RAT in three campaigns, deploying two instances of the trojan in each. Conversely, Transparent Tribe actively employs Crimson RAT, utilizing it in encrypted and packaged forms.
Infection Chain of APT36
The primary targets of these cyberattacks are the defense and governmental structures of India. Both groups have been persistently attempting to penetrate these sectors since at least 2019. The increase in such malicious activity is accompanied by a steady rise in the sale of access to Indian organizations’ systems on underground forums.
The infection process typically begins with a phishing email containing an archive with a shortcut file, which initiates a hidden process followed by the download of malicious files from compromised domains.
The deployed remote access trojans are capable of collecting system information, managing files, and intercepting clipboard data, presenting a high degree of threat, particularly when it concerns the country’s military installations.
SideCopy and Transparent Tribe use encrypted strings for communication with C2 servers, complicating the detection of malicious operations. Compromised domains and IP addresses used in the campaigns allow for tracking the groups’ activity since last year.
With the increase in cyberattacks ahead of elections in India, experts recommend local organizations strengthen their cybersecurity measures. Analysts emphasize the need to protect against threats, particularly in the context of global geopolitical conflicts, which may provoke new attacks.
Thus, the observed surge in cyberattacks on India necessitates heightened attention to cybersecurity at both the state and corporate levels, as well as the activation of international cooperation to counter such cyber threats.
