## Operation # SideCopy ### Returns ###### APT Group targeting the Indian Critical Infrastructure **Subject matter experts: Chaitanya Haritash, Security Researcher II |** **Whitepaper** Nihar Deshpande, Senior Security Researcher | Shayak Tarafdar, Security Research Lead ----- #### TABLE OF CONTENT INTRODUCTION 01 TECHNICAL ANALYSIS OF RECENT DEVELOPMENTS 02 ATTRIBUTION 09 EXPANSION IN OPERATION. 12 FINDING THE REAL ATTACKER 14 HANDLER’S ATTRIBUTION - CONNECTING ALL THE DOTS 17 CONCLUSION 18 MITRE ATT&CK TABLE 18 TABLE FOR IOCS 19 ----- #### INTRODUCTION The SideCopy APT Group has expanded its activity this year and now targets critical Indian sectors this time. Quick Heal Security Labs researchers have been tracking the notorious cyber-attack group [– ‘Transparent Tribe’ since the first SideCopy campaign in September 2020, discovered by](https://www.seqrite.com/blog/operation-sidecopy/) Quick Heal. The team has recently discovered an increase in SideCopy’s activities targeting certain Government agencies in India. The group has added new malware tools to its arsenal. [Another attack campaign that we had discovered in March 2021 (ref. blog), seems to be part](https://www.seqrite.com/blog/new-spear-phishing-campaign-using-army-welfare-education-societys-scholarship-form/) of the more extensive SideCopy campaign. The spear-phishing attack campaign used the Army Welfare Education Society’s scholarship form as a lure. The second wave of SideCopy uses COVID-19 as a lure, which is not unique since, in the last year & a half, the COVID-19 theme has been used in numerous cyber-attacks. However, this is the first time that the COVID-19 theme is being used in the SideCopy campaign. In most cases, successful execution of the attack would result in deploying a Remote Administration Tool. If a RAT gets installed, the attackers will get unrestricted access to the machine and steal sensitive data from these agencies. Administration Tool. If a RAT gets installed, the attackers will get unrestricted access to the machine and steal sensitive data from these agencies. ----- #### TECHNICAL ANALYSIS Email with C&C malicious Server attachments RAR/ZIP Archive Custom C# Implant ###### Vector-1 : LNK payload Execution LNK File HTA Extension File Spoofed Download and open Decoy File _(Vector-1: Execution Chain)_ _(Initial Intrusion via LNK file)_ ----- The initial intrusion chain begins with a spear-phishing email that attempts to lure users into extracting the attached zip archive. Upon extraction, the user would see a document file that is an extension spoofed LNK file. If the user opens the document, the LNK payload gets launched and initiates the malicious activities in the background. To ensure the user is not suspicious, a decoy document is presented to the user. ###### HTA Payload _(660427971b04313c2ebf2410f9ba4f67c5f1d8ecc472be6c709546a12dc97f7d)_ Once the LNK file is launched, it downloads the HTA payload from a compromised domain and executes it via mshta.exe. This HTA file is responsible for showing the decoy document to the user. In addition, it drops an executable of ReverseRAT on disc and executes it. ###### Custom C# Implant - ReverseRAT The APT group carefully chooses their targets, upgrades tools in their arsenal based on the targets, and mainly uses limited but effective functionality in being evasive. Most of the backdoors used in the campaign are NJRat; however, in one specific case, we came across a new payload written in C#, which installs an implant enabling attacker to examine the target and install other backdoors. This implant appears to be an advanced [version of the implant that we analyzed in our previous write-up.](https://www.seqrite.com/blog/new-spear-phishing-campaign-using-army-welfare-education-societys-scholarship-form/) ----- ###### Stage-1: _(solaris.exe - 864dc421ddda3032938a5f1753ebc4d24c6250cd201204c4024012fe2b8a460a)_ We noticed attackers are using a custom payload to drop the final implant, encrypted with Triple-DES in ECB mode, on disc with persistence via AutoRun registry key. ###### Stage2: _(inithost.exe - ee2cc931d5b4bad780abb0e5cee7d9bb51916035e4cce0e8239fe0a444ed523d)_ ----- The stage 2 is an implant with some extra features which work on the attacker’s command. This includes the following: **No.** **Features** **Command** 1 Download And Execute DW 2 Update The Working Binary UPDATE 3 Self-Kill CLOSE 4 Capture Screenshots RD+ and RD ###### Stage 2 features in detail This implant has additional features as compared to the previous version. This continuous enhancement of the attack tools shows that the attack group is active and is developing tools to target potential victims better. ###### Feature - Download and Execute _(Stage 2: Download and Execute)_ The download and execute routines are different from the previous version. The code has been made simpler and smaller than before. The base64 encoded staged binary is fetched from C2 and decoded and saved on disc in folder “wininets” before execution. |No. 1|Features Download And Execute|Command DW| |---|---|---| |2|Update The Working Binary|UPDATE| |3|Self-Kill|CLOSE| |4|Capture Screenshots|RD+ and RD-| ----- ###### Feature - Update the working binary _(Stage 2: Update Binary)_ The implant updates itself on commands issued by C2. The update mechanism is simple: - The implant fetches the updated version - Writes it to the current working directory with the name “jingo.exe.” - Stops the current process of working binary - Closes sockets - Starts a newly updated binary while killing itself ###### Feature - Self-Kill _(Stage 2: Self-Kill)_ ----- The implant can kill itself if the target is not of interest to the attacker. The command pushed from C2 “CLOSE” is meant to kill the connection. It, however, does not clear all the artifacts of persistence, so the attacker regains connection once the system is rebooted. ###### Feature - Capture Screenshots _(Stage 2: Screenshot Capture)_ ReverseRAT can capture screenshots on the victim’s machine. Method “Capture” accepts two parameters as integers - dimension width and height of the JPEG - provided by C2 in command. Once the function completes its job, it encrypts the image with AES with ECB mode and sends it back to C2. ###### Vector - 2: NJRAT - Lure Names with Extension Spoofing C&C Server Email with malicious attachments SFX file inside Zip Archive SFX file : Phase-3 of winhosti.exe Nationwide Covid-19 Vaccination Registration.pdf.exe _(Vector 2: Execution Chain)_ ----- _(NJRAT Configuration)_ Through telemetry, we noticed NJRat connecting to “149.248.52.61”. Further analysis showed that the RAT came via a zip file containing an SFX archive, which dropped a VBScript. This VBScript launched the C# variant of NJRAT connecting to the host mentioned above on port 87. After doing further research, we noticed that it's a code reused from GitHub. ----- #### ATTRIBUTION ##### 1. MachineID Since releasing our previous [report](https://www.seqrite.com/resources/operation-sidecopy) on Operation SideCopy in September 2020, we have been monitoring the activities of this attack group. We noticed that the group kept using the same machine to create most of their payloads: _(A sample from campaign in 2020)_ _(Sample used in this campaign)_ The above images show that the attacker used the same machine (with ID “desktop-g1i8n3f”) to create these LNK files. This clearly points to the current attack also being part of the SideCopy campaign. ----- ##### 2. The ReverseRAT payload connects to Ips hosted on CONTABO. Transparent Tribe, the group believed to be behind Operation SideCopy, uses CONTABO to host pay loads or serve as C&C. ##### 3. In a previous investigation, we observed that most hosts used in the SideCopy campaign resolve to subdomains having “VMI” and “VDM” strings at the beginning. The same is the case in this attack as well. ----- ##### 4. The whois information from the hosts indicate that the attack mentioned in our [previous blog (ref. blog) related to spear-phishing campaign using Army Welfare](https://www.seqrite.com/blog/new-spear-phishing-campaign-using-army-welfare-education-societys-scholarship-form/) Education Society’s scholarship form is part of the same group. ----- #### EXPANSION IN OPERATIONS SideCopy seems to be expanding its campaign to other countries as well. During our analysis, we came across a sample that appears to have come from a USA-based entity. _(65ae52ac448a011701c4f077449112329b79f23f758524dd753dfe757c52f508 - abc.hta)_ This sample is also generated from the same machine (machine with ID “desktop-g1i8n3f”). Upon execution, it launches an HTA payload and opens a decoy document. ----- _(Document opened once all stages are executed-_ _7751776f35e5eae53c4d6a3e5bc216f8cc3bcdafa856b6dd6b1c18f982615448_ The payload connects back to IP address “149.248.52.61”, which is the same as the other identified samples. The EXIF data of the decoy file shows that it was created on 2020-08-25T04:01:00Z. This indicates that actors are using this host for at least the second half of 2020. [Ref: https://www.cenjows.in/upload_images/pdf/E-Scan-01-15-Aug-2020.pdf](https://www.cenjows.in/upload_images/pdf/E-Scan-01-15-Aug-2020.pdf) ----- #### FINDING THE REAL ATTACKER Based on our telemetry intelligence and data from VirusTotal, we determined that the attackers were leveraging compromised websites that targeted organizations would generally access. This shows that attackers did detailed reconnaissance before launching the campaign. By data analysis, we came across the type of individuals that the campaign is targeting. In addition, we also identified types of websites that are being used to host attack artifacts & serve as Command & Control servers. This gave us a pivot, and we landed on two compromised websites where C2s were active and accessible. _(PHP script serving payloads to targeted victims based on the User-Agent)_ By analyzing accessible artifacts from these compromised websites, we uncovered that the threat actor is managing the campaign through a PHP script. Attackers use phishing emails to lure targeted individuals to these websites, where the PHP script serves the malicious payload based on user-agent info. In this example, Windows users are targeted. If the user-agent includes the string “Windows NT 10” or “Windows NT 6.3”, the actual payload is served. Otherwise, the decoy payload is done. #### FINDING THE REAL ATTACKER ----- Along with that, visitor logs are also saved in a text file. Over time, attackers may serve different payloads via the same PHP script for repeated visitors. This shows the level of sophistication of this campaign. _(Sample Victim Data Logs)_ Each campaign is monitored, and victim attributes are maintained in text and CSV files: 1. IP Address 2. Timestamp at which the payload was served 3. User-Agent info ----- Here is an example of the type of lure being used in phishing mails. We identified the following IP addresses through further data analysis, pointing to entities in Telecom, Power, and Finance sectors as potential targets. This is likely a subset of targets, though, as we suspect that several other government entities are being targeted in this campaign. **1.** **223.31.174.169** **2.** **164.100.43.40** **3.** **120.57.112.139** **4.** **120.57.112.246** **5.** **59.97.128.246** **6.** **117.201.89.40** **7.** **120.56.119.125** **8.** **117.197.175.43** **9.** **106.215.252.198** ----- #### HANDLER ATTRIBUTION - CONNECTING THE DOTS During the data analysis from C2 servers, we found a specific IP in almost all the logs. In fact, in both the C2 servers that we analyzed, this particular IP was the first entry. We believe this IP belongs to the test machine from which attackers validate whether their setup works fine. _(IP found as first entry in logs on C2 servers)_ Analyzing publicly available information on IP address 182.191.210.191 tells us that IP is located in Pakistan and is provided by PTCL (Pakistan Telecommunications Company Ltd.) ----- #### CONCLUSION Transparent Tribe attack group has been linked with Pakistan in the past as well. The evidence presented in this paper goes on to strengthen that claim even further. In the current campaign, SideCopy/Transparent Tribe is once again targeting critical government entities in India. The attack tools & methods have also been enhanced to make detection difficult. This shows that this attack group is well funded and actively improves attack mechanisms to infiltrate the target entities. We advise our customers to be aware of such attacks, set up necessary cybersecurity controls, follow good cybersecurity practices, train their employees on cyber risks, and keep monitoring their environment for anything suspicious. |MITRE ATT&CK MATRIX|Col2| |---|---| |Sphere Phishing: LNK payload|T1204.002| |Hosted HTA file Execution via mshta.exe|T1218.005| |Command And Control|TA0011| |AES encrypted communication|T1573.001| |Information Collection of Infected Host|T1082| |Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder|T1547.001| |njRAT|S0385| ----- #### TABLE FOR IoCs |SFX: 84609f9e443225a23cca8ab6be910c207d220bb430fd543d0724eaae8f7df592|director_general_level_border_coord ination_conference.pdf.exe| |---|---| |1afb690159f041ce4f0af3618ebd1cef4597d3d94bd249c4644b8e359f46199d|Indian Army Restructring And Re-Organization.pdf.exe| |f17fd9ff93d1b3db6c3e4463d5ca5c11b99827890c58721d2860df75d4323705|Phase-3 of Nationwide Covid-19 Vaccination Registration.pdf.exe| |c79ab21cf7fc23b9a096c4d9aa5b7cd02d968b8dfc58b137c2df44b1e55307b6|Kavach-Release-win.exe| |d5a109f147a4c051b993026dd24fa97f9eeacd26e3ec5595ade2316de733b712|4f1c460608a80b82094bf9c87f31e03 2.virus| |5aa238299b3d28da0cf4a46fce5ed6cf34db72c554f030fa03be3aea567336ac|Covid-Instr-2-21-DGMO-61.jpg .exe.bin| |LNK: 7f800784b00354dd15eee129317a63bd3f7bb25622e898c873603e5b142cbb09|Covid Vaccination On Emergency Basis for All Employees and their Familes.pdf.lnk| |df47ca45bdf2f910a0ebae49d29549240066f77d0abb735cf1afe41368cb0d85|Cir-Bfg-Int-May21-Summary.docx.lnk| |24469a7f1f33cdecf507824a773814b5f3190c81acaf04d06c168ccbf71b2ee8|Covid Vaccination.pdf.lnk| |54759951089f44a3918e164b8bf29c8f388cfd41f9930f81b8103852947fed93|Call-for-Proposal-DGSP-COAS-Chair- Excellance.pdf.lnk| |8a10797ac7f84d09cfb4cb3a6a1e75473dc81dab757c0000036a861575216e5c|DATE-OF-NEXT-INCREMENT-ON-UP -GRADATION-OF-PAY-ON-01-JAN-A ND-01-JUL.pdf.lnk| |ee58d8ecc5dce13f4eee1e6164654f82a5eb339dc3c6e023b69ea7d6df5b930f|Posting (AllTypes), Promotions, and Other Record Wing Matters.pdf.lnk| |e16153ee38bc971c4fd94f4d35996d0ef41a33bb53d5028170da48712904a3e7|ETPBs Speed_Post_Booking.pdf.lnk| |91cbd850c6ac25ad762eb256ab432c45af78737cb3fb042f6fd8b3ece9a96dfb|| |HTA : a00813028306c519829ca3b2f16357124aa77b998c9c6cc6f16c00c24503eace|shell.php| |660427971b04313c2ebf2410f9ba4f67c5f1d8ecc472be6c709546a12dc97f7d|course.hta| |65ae52ac448a011701c4f077449112329b79f23f758524dd753dfe757c52f508|abc.hta| |f927d3aec7a84b45d8b6e4f871cf4d4c462143079b31f7d07214754cfb04cb0a|style7.css.hta| |df173424d830588307eb70c50c5811cac66d8daf03f53d610cc0129ba5d30167|hta.10| |46e2595644f26bea7b6ad5b332ab04ee93cedb603717696ff82494f5217bdb97|hta.7| ----- #### TABLE FOR IoCs |ReverseRAT Implant Dropper: 864dc421ddda3032938a5f1753ebc4d24c6250cd201204c4024012fe2b8a460a|solaris.exe| |---|---| |259e0acea693e80af641925c2f881842e8aa979d770cc34a1769065028dd9d74|solaris.exe| |31564bd50713e63a6d4cb749048f7908b5f7629d2ef950b7240f85d734a32ceb|system.exe| |205a59ac9ca1e976a5923d79051d887694c2156c253ec204f96d7385eca35284|Ivew.exe| |ReverseRAT Implant: ee2cc931d5b4bad780abb0e5cee7d9bb51916035e4cce0e8239fe0a444ed523d|solaris1.exe| |b7ce2df21b8a9e8cba08e86700f435d42937b07d2103d9191767737de67ea82b|sigma.exe| |74d708dd367a18c2555f1e82b739b188e7d9722c28fef139eddd3d55abdc23b5|Def.exe| |96d87548a3b4cdc83dcd1e13e093a50c60073c74ee4a3bf4ed94689efc044974|slug.exe| |NJRat 0.7d: a8768e632a5c8fbb7c7b201f1e6df6362ed48d77efa74c62eaa900e0e73eebee|wintask.exe| |5d52f58a75bbe7519bbcae8333e91b5dbcc8459bb23bb01d077d5c51954c0ef8|wintask.exe| |8e3f04d34dfb35e685f6785c406ab5ffdad15ba376c8ac584bf25c7a7b3b547a|winwnet.exe| |1dab360111d8a0f59674bc5c725b88edac598dd7e0171ab7c3bc5416d45e6e89|winhosti.exe| |eb688e9d721c561fe334147c66679bbd988da10c06704a15f048b97a9f6b0f7f Domains: 5-135-125-106.cinfuserver[.]com|winonet.exe| |ikiranastore[.]com|| |londonkids[.]in|| |iiieyehealth[.]com|| |imenucard[.]com|| |Rarebooksocietyofindia[.]org|| |Vedicwisdom[.]in|| |vmi281634.contaboserver.net|| |vmi433658.contaboserver.net IP: 164.68.104.126|| |178.79.161.146|| |149.248.52.61|| |182.73.189.238|| |5.135.125.106 DLLs: 6cae885bcdd3139fd87c65ea817daa4b586cfd257a8127d8af3422b99e61f123|hta.dll| -----