## Operation # SideCopy ----- Quick Heal’s threat intelligence team recently uncovered evidence of an advanced persistent threat (APT) against Indian defence forces. Our analysis shows that many old campaigns and attacks in the past one year relate to 'Operation SideCopy' by common IOCs. The background and analysis in this paper provide complete forensic and useful details of our current research on the malware in this operation. ### Key Findings  Operation SideCopy is active from early 2019, till date.  This cyber-operation has been only targeting Indian defence forces and armed forces personnel.  Malware modules seen are constantly under development and updated modules are released after a reconnaissance of victim data.  Actors are keeping track of malware detections and updating modules when detected by Anti-Virus solutions.  Almost all CnC Servers belongs to Contabo GmbH and server names are similar to machine names found in the Transparent Tribe report.  This threat actor is misleading the security community by copying TTPs that point at Sidewinder APT group.  We believe that this threat actor has links with Transparent Tribe APT group. ### Summary A couple of months ago, Quick Heal’s Next-Gen Behavioural Detection System alerted on a few processes executing HTA from few non-reputed websites. We have made a list of URLs, connected from mshta.exe, across multiple customers: _hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/Armed-Forces-Spl-Allowance-Order/html/_ _hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/Defence-Production-Policy-2020/html/_ _hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/Images/8534_ _hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/IncidentReport/html/_ _hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/ParaMil-Forces-Spl-Allowance-Order/html/_ _hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/Req-Data/html_ _hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/Sheet_Roll/html_ _hxxps://demo[.]smart-school[.]in/uploads/staff_documents/9/Sheet_Roll/html_ _hxxps://demo[.]smart-school[.]in/uploads/student_documents/12/css/_ _hxxps://drivetoshare[.]com/mod[.]gov[.]in_dod_sites_default_files_Revisedrates/html_ ### Introduction details of our current research on the malware in this operation. ### Key Findings  Operation SideCopy is active from early 2019, till date.  personnel.  released after a reconnaissance of victim data.  by Anti-Virus solutions.  machine names found in the Transparent Tribe report.  Sidewinder APT group.  ### Summary a few processes executing HTA from few non-reputed websites. _hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/_ _hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/_ _hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/Images/8534_ _hxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/_ ----- The highlighted ones were sent to targets across Indian defence units and armed forces individuals. We started tracking this campaign as it was targeting critical Indian organizations. Traces of this operation can be tracked from early 2019 till date. Till now, we have observed three infection chain processes. Initial infection vector in two of the chains was LNK file, that came from a malspam. But in one case, we saw attackers making use of template injection attack and equation editor vulnerability (CVE-2017-11882) as the initial infection vector. Though the initial infection vector is different in the third case, the final payload is similar to the first two chains. Below images will provide an overview of malware infection in victim machines. #### Infection Chain – Version 1: ----- #### Infection Chain – Version 2: Infection Chain – Version 3: #### Infection Chain – Version 2: ----- #### Initial Infection Vector: LNK The victim receives LNK files, compressed into ZIP/RAR via emails. These files are shortcuts executing mshta.exe and providing remote HTA URL as the parameter. LNKs have a double extension with document icons, to trick the victim into opening the file. Victims just have to execute LNK files and rest all modules follow in background. Image 1: Malicious lnk to launch mshta.exe #### Initial Infection Vector: Template Injection Image 2 : Contents of settings.xml.rels Image 2 : Contents of settings.xml.rels #### Initial Infection Vector: LNK ----- #### Decoy Documents/Images: Names of initial infection LNKs/Documents seems to be quite realistic and lure the victim into opening it. And as the same say, the contents of decoy are related. Some sample decoy that we saw are: Image 3: Decoy document dropped by “Defence-Production-Policy-2020.docx.lnk” Image 4: Decoy image dropped by “Image-8534-2020.jpg.lnk” Looking at first decoy (Image 3), the victim seems to be a target that is interested in Indian defence news. The second decoy (Image 4) looks more of a honeytrap image. It is similar to a recent [campaign that we uncovered a few months ago.](https://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/) #### Decoy Documents/Images: ----- ### Toolkit for both HTA-Stagers Stage-1 and Stage-2 HTA files seem to be created using CACTUSTORCH toolkit, which is available on GitHub. _https://github.com/mdsecactivebreach/CACTUSTORCH_ [CactusTorch is inspired by StarFighters and uses the DotNetToJScript tool. It loads and](https://github.com/Cn33liz/StarFighters) executes malicious .NET assemblies directly from memory. Similar to other fileless attack techniques, DotNetToJScript does not write any part of the malicious .NET assembly on [the victim machine. This blog contains good insight into how this toolkit works.](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cactustorch-fileless-threat-abuses-net-to-infect-victims/) #### Stage-1 HTA: **Stage-1 HTA** MD5 A7C9018A5041F2D839F0EC2AB7657DCF SHA256 C4A75A64F19BD594B4BB283452D0A98B6E6E86566E24D820BFB7B403E72F84E2 This HTA file is remotely downloaded via one of the URLs given in summary. It has 2 embedded files; a decoy document (can be an image file) and a DotNET module named ‘hta.dll’. DotNET serialization is used to execute ‘hta.dll’ module. The first section in this HTA file checks for installed DotNET version and creates a file at ‘C:\ProgramData\script.js’. This JS file is responsible for restarting victim machine so that no traces of running mshta.exe can be found. |Stage-1 HTA:|Col2| |---|---| |Stage-1 HTA MD5 A7C9018A5041F2D839F0EC2AB7657DCF|| |SHA256|C4A75A64F19BD594B4BB283452D0A98B6E6E86566E24D820BFB7B403E72F84E2| ----- The second section contains deserialization of DotNET object module to execute decoy document and download next HTA components. The functionality of embedded DotNET module named ‘hta.dll’ can be seen using dnSpy tool. Looking at code, we can see that the malware modules are constantly under development. ----- It executes Decoy file from %temp% folder. It then downloads the later stage HTA — next stage HTA is decompressed in the same way as decoy document i.e. Base64 + GZip decoding is done to get Stage-2 HTA file. ----- |Stage-2 HTA MD5 18FB04B37C7A6106FB40C5AAFDDD8935|Col2| |---|---| |SHA256|DD0762FC58ACB30F75B0A2A14DBEF2CCDA553EA9DDE08A180C60CD4113E1A506| **Stage-2 HTA** Stage-2 HTA is nearly similar to Stage-1 HTA but has more embedded modules. Stage-2 HTA again uses DotNET serialization to execute embedded components with file-less technique. At first, it checks for installed DotNET version: Later it checks for installed Antivirus product and passes all information to serialized DotNet module named ‘preBotHta.dll’. ----- The functionality of ‘preBotHta.dll’ can be seen via dnSpy tool. As we can see, none of the functions are obfuscated. Similar to ‘hta.dll’, this malware module is also constantly under development as can be seen below. “preBotHta.dll” during #2019 “preBotHta.dll” during #2020 ----- PinkAgain() function checks for available AntiVirus installed at victim machine and saves backdoor module accordingly. These AVs are widespread and popular in India. Other functionality includes:  Copying “Credwiz.exe” (legit) from system32/SysWOW64 folder to “C:\ProgramData\Adobe\credwiz.exe”  Drop Object1 from HTA into “C:\ProgramData\Adobe\DUser.dll”  Drop and execute BAT file for persistence at “C:\ProgramData\Adobe\addreg.bat”  Drop Object2 from HTA into “%temp%\MicroSoft\winms.exe”  Execute “Credwiz.exe” Image 7: credwiz.exe copying code in ‘preBotHta.dll’ ----- ### BAT module: BAT file adds registry entry into Run folder. Thus running credwiz.exe on the machine on every startup. Image: Content of BAT file #### Script.js file: This file is executed via cmd.exe to restart victim machine. Contents of this file are: Image: Content of BAT file var shell = new ActiveXObject('WScript.Shell');WScript.Sleep(900000);var exec = shell.Exec ('cmd.exe /k shutdown /r /t 0');exec.StdIn.Close(); ### BAT module: #### Side-Loading technique: **credwiz.exe** MD5 15CF85C3D904A7D8650164B0B831A318 SHA256 17EABFB88A164AA95731F198BD69A7285CC7F64ACD7C289062CD3979A4A2F5BF “Credwiz.exe” is a legit windows file copied from system32/SysWOW64 folder to “C:\ProgramData\Adobe\credwiz.exe”. When this file gets executed, it will side-load malicious duser.dll file which is dropped in the same folder. **DUser.dll** **(version 1)** MD5 AC4A8D82D91286D5E0F59B85C8975DF8 SHA256 FB761A2DA4841F8739D33A682C5F2F39A033C7BA16430CE5785F7D51AB5D1537 Module ‘DUser.dll’ is embedded as the 1st object into Stage-2 HTA file. The file gets dropped into “C:\ProgramData\Adobe\DUser.dll”. It has only 1 export function i.e. “cfileexists”. As the names suggsts, its only function is to check for the presence of a file at “%temp%\MicroSoft\winms.exe” (2nd object dropped from Stage-2 HTA file) and execute it. If not found, then it checks for “strcat.txt” at the same location. If it exists, then read the content of “strcat.txt” and write the content into a file named “winms.exe” as shown in below fig. |Side-Loading technique:|Col2| |---|---| |credwiz.exe MD5 15CF85C3D904A7D8650164B0B831A318|| |SHA256|17EABFB88A164AA95731F198BD69A7285CC7F64ACD7C289062CD3979A4A2F5BF| |DUser.dll (version 1) MD5 AC4A8D82D91286D5E0F59B85C8975DF8|Col2| |---|---| |SHA256|FB761A2DA4841F8739D33A682C5F2F39A033C7BA16430CE5785F7D51AB5D1537| ----- It will then launch the RAT module “winms.exe”. ----- |DUser.dll (version 2) MD5 B29E7FAC2D84DA758473F3B5E81F3265|Col2| |---|---| |SHA256|92E9CEEDF28C99F90F8892AEC9D2FA413FF0F4F17C5B0316D05871E95993C3FA| In a few instances, we saw a completely different version of DUser.dll module. This DLL had an export named as “DllMain”. An interesting PDB string was observed in this file. “F:\Packers\CyberLink\Latest Source\Multithread Protocol Architecture\Final Version\ DUser\Release\x86\DUser.pdb” As per the PDB path, DUser was developed in the folder “CyberLink\Latest Source\Multithread Protocol Architecture”. At this stage, we are not aware of any similar tool. This Duser.dll will initiate the connection over this IP address ‘173.212.224.110’ over TCP port ‘6102’. This IP address & port can be found out in file as it is mentioned in cleartext. Once successfully connected, it will try to delete a BAT file from Program Data as can be seen in below image and then proceed for performing various operations based on the command received from C2C. ----- The commands are numbers from 0 to 15, so it compares each time when it receives the command from C2. Based on the commands, it fetches the index value and redirects to specific function/module to perform the desired operation as shown in below figs. ----- For example if C2 sends 0, then it collects the Computer Name, Username, OS version etc. and sends it back to C2. ----- ### Backdoor modules: **winms.exe** **(dropped in Infection Chain - version 1)** MD5 AF0DD0070C02E15064496853BEFFA331 SHA256 8C6AFF2224FDD54615EF99D32A6134C961B6D7D576B6FF94F6B228EB8AF855AF This is a RAT tool and has very high resemblance with code found on below GitHub link. https://github.com/Grampinha/AllaKore_Remote/blob/master/Source/Client/Form_Main.pas Allakore_Remote is an opensource software written in Delphi. The communication happens via 173.249.50.230 over TCP Port 3245. |Backdoor modules:|Col2| |---|---| |winms.exe (dropped in Infection Chain - version 1) MD5 AF0DD0070C02E15064496853BEFFA331|| |SHA256|8C6AFF2224FDD54615EF99D32A6134C961B6D7D576B6FF94F6B228EB8AF855AF| ### Backdoor modules: ----- |sihostt.exe MD5 B065FB5E013D4393544E29B4D596C932|Col2| |---|---| |SHA256|A8D8A56CDA7E29DD64CF28B2BDAD19E8DCBF78E5900CF9CA53F952E9FD2452EB| In a few attack chains, we saw a DotNET based RAT being dropped in the startup folder by mshta process. This previously unseen RAT is used to perform multiple malicious tasks like:  Download and execute files  Upload files  Run process  Delete files  Rename files  Create directory  List directory  Get process info  Kill process  Copy clipboard data  Set clipboard data  Screen capture  ShellExecute command  Exit process ----- Below figure shows the code start function. This function creates a new object of the class core with two parameters as remote IP and encryption key. Image 8: Main function Similar to other modules, even this module is not obfuscated. Every function has meaningful names and readable code. Image 8: Main function ----- Image 10: Code to download and execute the file. ----- ### PDB Paths: Interesting PDB paths were seen in files that we have observed in past one year. D:\C\Proj\DUser\Debug\x86\hello-world.pdb D:\C\Proj\preBotHta_new\preBotHta\obj\Debug\preBotHta.pdb D:\Pkgs\Project\1-Stagers\5-DUser\Debug\x86\hello-world.pdb D:\Pkgs\Project\5-DUser\Debug\x86\hello-world.pdb D:\Pkgs\Project\Cyrus_HTA1+HTTP_HTA2+VNext_HTA3\hta\obj\Debug\hta.pdb E:\OpenRATs\NigthFury\NightFury HTA upload\preBotHta\obj\Debug\preBotHta.pdb F:\Packers\CoreDll\DUser\Release\x86\hello-world.pdb F:\Packers\CoreDll\preBotHta\preBotHta\obj\Release\preBotHta.pdb F:\Packers\CyberLink\Latest Source\Exploit Dropper\Update or Install\Dropper\Release\Update-Install.pdb F:\Packers\CyberLink\Latest Source\Exploit Dropper\Update or Install\Dropper\x64\Release\Update-Install.pdb F:\Packers\CyberLink\Latest Source\Multithread Protocol Architecture\Final Version\DUser\Release\x86\DUser.pdb E:\Packers\CyberLink\Latest Source\Multithread Protocol Architecture\Final Version\DUser\Release\x86\DUser.pdb G:\AT\Pkgs\Pkgs\Project\3-hta(hta1)_new_path\hta\obj\Debug\hta.pdb D:\Pkgs\Project\Standalone_HTA_With_Startup_Path\Project\preBotHta\obj\Debug\preBotHta.pdb By looking at changes in codes across different versions and changes in PDB paths, we can conclude that this malware is constantly under development. Attackers are updating codes after a reconnaissance of victim environment. We believe, this group is using a commercial tool to install the backdoor. However, we do not have any intel on the same. If you have some knowledge about any of the above tools, we will be very interested in knowing about it. ----- ### Attribution We constantly work towards profiling attacks of multiple APT actors. Looking at the basic flow of the tools, techniques, and procedure (TTPs) in this attack, it simply points towards SideWinder APT group. All the names for modules like ‘preBotHta.dll’, ‘DUser.dll’ were similar to some of the Sidewinder attacks. Credwiz.exe was used for side-loading ‘DUser.dll’ and entire infection flow was similar. Few of researchers on Twitter and some Chinese organization blogs were also seen attributing this attack to Sidewinder without many details. SideWinder is an APT group allegedly to work for Indian interest. But this attack was targeting Indian defence organizations and armed forces veterans. So, it makes no sense [on this attribution. Lastly, we found just one good blog that considered this attack to be a](https://medium.com/@Sebdraven/copy-cat-of-apt-sidewinder-1893059ca68d) “Copy cat of APT Sidewinder”. #### Hence, not related to the Sidewinder APT group: 1] Sidewinder uses dotNET compiled ‘DUser.dll’ backdoors. But all ‘DUser.dll’ files in this operation were compiled in Delphi/VC++. 2] Naming convention of domains and C2 was not similar to Sidewinder which uses names similar to ‘cdn’ in large volumes. 3] All initial modules are open-source, and some are commercial tools. Sidewinder does not heavily rely on open-source tools. 4] ‘perBotHta.dll’ code was completely different from what was seen with Sidewinder files. 5] Sidewinder was never seen targeting India. ----- This was the reason; we were convinced that this actor is copying Sidewinder TTPs just to mislead the community. So, we named this as ‘Operation SideCopy’. Understanding who is behind an attack is usually a priority when the attack is on critical organizations. So, it was a crucial component of our investigation. Now, to hunt the real actor behind this operation, we started looking towards older samples, file meta, code, Domains, IP infrastructure. These are all the Command and Control server IP and domains that we saw being used in this operation: vmi312537[.]contaboserver[.]net 144[.]91[.]91[.]236 vmi296708[.]contaboserver[.]net 144[.]91[.]65[.]100 newsindia[.]ddns[.]net 164[.]68[.]108[.]22 mfahost[.]ddns[.]net 173[.]249[.]50[.]230 vmi314646[.]contaboserver[.]net 173[.]212[.]224[.]110 vmi192147[.]contaboserver[.]net 167[.]86[.]116[.]39 vmi268056[.]contaboserver[.]net Almost all C2 belongs to Contabo GmbH, a hosting provider that seems to be currently favoured by Pakistan based threat actors. Many Crimson RAT, another tool of Transparent tribe group, connect to Contabo GmbH. [Also, in one of the reports by amnesty, transparent tribe actors RAT were found using](https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF) computer name ‘VMI70913’ and the same sample connected to C2 with a domain name of ‘vmi70913.contabo.host’ by the hosting company Contabo GmbH. |144[.]91[.]91[.]236 144[.]91[.]65[.]100 164[.]68[.]108[.]22 173[.]249[.]50[.]230 173[.]212[.]224[.]110 167[.]86[.]116[.]39|vmi312537[.]contaboserver[.]net vmi296708[.]contaboserver[.]net newsindia[.]ddns[.]net mfahost[.]ddns[.]net vmi314646[.]contaboserver[.]net vmi192147[.]contaboserver[.]net vmi268056[.]contaboserver[.]net| |---|---| ----- These server names are very similar to C2 domains found in the operation. One of the domain, that hosted HTA was interesting: “hxxps://drivetoshare[.]com” It was registered to: Name Muhammad Talha Organization web designing Address Shop No 36/ B 2nd Floor Dubai Plaza Murree Road City Rawalpindi State / Province Punjab Postal Code 46000 Country PK Phone +92.3316133447 Email kingsmanfisher@gmail.com We found few other domains that were recently registered to email ID ‘kingsmanfisher@gmail.com’: |egistered to:|Col2| |---|---| |Name|Muhammad Talha| |Organization|web designing| |Address|Shop No 36/ B 2nd Floor Dubai Plaza Murree Road| |City|Rawalpindi| |State / Province|Punjab| |Postal Code|46000| |Country|PK| |Phone|+92.3316133447| |Email|kingsmanfisher@gmail.com| (Domain) (Registration) (Expiry) drivetoshare.com 2020-08-07 2021-08-06 updatedportal.com 2020-08-07 2021-08-06 socialistfourm.com 2020-03-13 2021-03-12 mailfourms.com 2020-03-02 2021-03-01 [A recent report on Transparent tribe showed this group to be using a similar naming](https://securelist.com/transparent-tribe-part-2/98233/) convention to host a variety of malware. ----- ### IOC Details: We have mentioned the IoC details in the spreadsheet below: |#2019 #2020 - version 1|MD5 SHA256 A7C9018A5041F2D839F0EC 2AB7657DCF C4A75A64F19BD594B4BB28 3452D0A98B6E6E86566E24D 820BFB7B403E72F84E2|File Description Stage-1 HTA|File Info|PDB Strings|IP 139.59. 55.198|Domains| |---|---|---|---|---|---|---| |||Stage-1 HTA embedded module 'hta.dll'|Portable Executable 32 .NET Assembly|D:\Pkgs\Project\ Cyrus_HTA1+HTTP _HTA2+VNext_ HTA3\hta\obj\ Debug\hta.pdb||| ||18FB04B37C7A6106FB40C5 AAFDDD8935 DD0762FC58ACB30F75B0A2 A14DBEF2CCDA553EA9DDE 08A180C60CD4113E1A506|Stage-2 HTA||||| |||Stage-2 HTA embedded module 'preBotHta.dll'|Portable Executable 32 .NET Assembly|D:\C\Proj\preBot Hta_new\preBot Hta\obj\Debug\ preBotHta.pdb||| ||AC4A8D82D91286D5E0F59B 85C8975DF8 FB761A2DA4841F8739D33A 682C5F2F39A033C7BA1643 0CE5785F7D51AB5D1537|Duser.dll|Microsoft Visual C++ 8.0 (Debug)|D:\Pkgs\Project\ 1-Stagers\5-DUser \Debug\x86\hello -world.pdb||| ||AF0DD0070C02E150644968 53BEFFA331 8C6AFF2224FDD54615EF99D 32A6134C961B6D7D576B6F F94F6B228EB8AF855AF|winms.exe|Borland Delphi 4.0||173.249. 50.230|vmi192147 [.]contabo server[.]net :3245| ||B065FB5E013D4393544E29B 4D596C932 A8D8A56CDA7E29DD64CF28 B2BDAD19E8DCBF78E5900C F9CA53F952E9FD2452EB|sihostt.exe|Portable Executable 32 .NET Assembly||173.212. 224.110|hxxp://173 [.]212[.]224 [.]110/h_ttp| ### IOC Details: ----- |Col1|Col2|Col3|Col4|Col5|Col6|Col7| |---|---|---|---|---|---|---| |#2020 - version 1.1|MD5 SHA256 97B96EA3EB10BD5E7F26BC 7214D406B4 B0279CC1FDE7B18C0632585 EA0BB48C3F3140D0A4FF4C CB3B35EAEE27C12751D|File Description Stage-2 HTA|File Info|PDB Strings|IP|Domains| |||Stage-2 HTA embedded module 'preBotHta.dll'|Portable Executable 32 .NET Assembly|D:\C\Proj\preBotH ta_new\preBotHta \obj\Debug\ preBotHta.pdb||| ||15A33804C2560B1651D3B38 EE7D88CED 7B722C66602E53D17316353 7FA66056A78E3043BFDDDC B6FC06F31F1F7F25ED8|Duser.dll|Microsoft Visual C++ 8.0 (Debug)|D:\Pkgs\Project\ 5-DUser\Debug\ x86\hello- world.pdb||| ||9B6DC22380B809099F48A02 89DC38EA7 27AF16554281F3DD773E767 68F13B099B41624BEC5AB04 05A09C26595A49E80E|winms.exe|Borland Delphi 4.0||173.249. 50.230|| |#2020 - version 2|918F7248E81748D727F74BA BF3EF3213 87E5AB38B3E2BB5F63FD40D 97A225F9DEDB724B0703852 1EE4766A233F718CA2|S t a g e -2 H T A|||51 53 .1 .5 99 89 .|| |||Stage-2 HTA embedded module 'preBotHta.dll'|Portable Executable 32 .NET Assembly|E:\OpenRATs\ NigthFury\Night Fury HTA upload\ preBotHta\obj\ Debug\ preBotHta.pdb||| ||9F3069FC2B8DAD266B52C6 50CF3D730D A866800A90A404FEB4A9681 3C487BFD7114A5EC521516E BA8C0178FB3F08F74A|Duser.dll|Borland Delphi 3.0|E:\Packers\Cyber Link\Latest Source \Multithread Protocol Architecture\Final Version\DUser\ Release\x86\ DUser.pdb||tor-relay- 2[.]innonet life[.]com: 6102| **MD5** ----- |Col1|Col2|Col3|Col4|Col5|Col6|Col7| |---|---|---|---|---|---|---| |#2020 - version 2.1|MD5 SHA256 49CB8BB67B1F89E5184926B 41E89A5B9 7EAD6660510AA9A7E58094F 05A8655DF23FE680B57D511 41E6E6D124C9A678D1|File Description Stage-2 HTA|File Info|PDB Strings|IP|Domains| |||Stage-2 HTA embedded module 'preBotHta.dll'|Portable Executable 32 .NET Assembly|E:\OpenRATs\ NigthFury\Night Fury HTA upload\ preBotHta\obj\ Debug\ preBotHta.pdb||| ||B29E7FAC2D84DA758473F3B 5E81F3265 92E9CEEDF28C99F90F8892A EC9D2FA413FF0F4F17C5B03 16D05871E95993C3FA|Duser.dll|Borland Delphi 3.0|F:\Packers\ CyberLink\Latest Source\ Multithread Protocol Architecture\Final Version\DUser\ Release\x86\ DUser.pdb||| |#2019 - version 3|F4FD6FA576313508A0B8936 88CCF6970 1D09E91D72C86216F559760 DA0F07ACDC0CFF8C0649C6 E1782DB1F20DCC7E48F|D u s e r .d ll|Borland Delphi 3.0|F:\Packers\Cyber Link\Latest Source \Multithread Protocol Architecture\Final Version\DUser\ Release\x86\ DUser.pdb|611 106 084 2.2.6 28 :.|s e o m r v n i3 t e 1 a r 4 b .n 6 ov e.c 4 t 6| ||6E0AB86CBBF5A19C77DCC8 85484D1539 70E2236E467D2B453E6C412 D32D0BD0AB256603E50339 B644D064DE18DBCB539|wordicon.exe|Microsoft Visual C++ 8|F:\Packers\Cyber Link\Latest Source \Exploit Dropper\ Update or Install\ Dropper\Release\ Update-Install.pdb||| |Older files|AA031C2D987DB4759A83C5 69392AA971 36C9022B8D2260B360DC93 90C146636A97AA984CDF517 6036CD4E444840216F8|w o r d ic o n .e x e|Microsoft Visual C++ 8.0 (DLL)|F:\Packers\Cyber Link\Latest Source \Exploit Dropper \Update or Install\ Dropper\x64\ Release\ Update-Install.pdb||| ||3EECA29E55C31C3904231D 5B5FC6A513 0A6D33BDC0B70A45626211 393D67566E1C9EBFFF020F7 FF1EF23DC93EDE0C27A|dD% uAP s e A r O %R G .dT ll\ gR it \A M|Borland Delphi 3.0|F:\Packers\Cyber Link\Latest Source \Multithread Protocol Architecture\Final Version\DUser\ Release\x86\ DUser.pdb|21 34 64 :6.9 11 0 2.9 1 .|s d e d f o m r a n v n i3 t s h e 1 a r o .n 2 b s e .n t 5 ov tm . e.c 3 t 7| **MD5** ----- |Col1|Col2|Col3|Col4|Col5|Col6|Col7| |---|---|---|---|---|---|---| |Older files|MD5 SHA256 A325AB168BB6797EF001372 41155D07C 5BC838B11EADB3FEC80A7E 6BB46183B868096D8C2E49 9BEDD9C976F3D70D41B1|File Description wordicon.exe|File Info Borland Delphi 3.0|PDB Strings F:\Packers\Cyber Link\Latest Source \Exploit Dropper\ Update or Install\ Dropper\Release\ Update-Install.pdb|IP|Domains| ||60C75258F301C14D45D32D 153812EA97 CB136924562C2E70A5E3039 EA3CD6713F4BD980DF2795F 6CDBC67D3364B5E79B|%ALLUSERSPR OFILE%\ microsoftsdk\ duser.dll|Borland Delphi 3.0|F:\Packers\Cyber Link\Latest Source \Multithread Protocol Architecture\Final Version\DUser\ Release\x86\ DUser.pdb|11 04 04 :6.9 11 0 2.6 5 .|s d e e d o m r n v w n i2 t s s e 9 a r .n in 6 b e .n d 7 ov tn e 0 t.c ia . 8| ||DBDD56932730210F6556CC 636AEB8A66 029FEED08A935BA7EC5186 C3EA8AE7114910BA950113 95F9A097BF2B069DA342|.lnB p eS kno en fis to sr .ds h o cip x-||||| ||039B29FC7316077D8ABCD1 D24222F3AE C2E4F6D9C6AFD91E6F85D2 BC96C6096346BBCBADD6E 1BA7192A9B226B17E67D8|Stage-2 HTA||||| |||'p t m r a m o e g b d B e e u o d t -2 lee d H e H t T a dS A .d ll'|Portable Executable 32 .NET Assembly|F:\Packers\CoreDll \preBotHta\pre BotHta\obj\ Release\ preBotHta.pdb||| ||76064A2131C5D866043C616 0B9F79929 709D548A42500B15DB4B17 1711A31A2AB227F508F60D4 CDE670B2B9081CE56AF|dD% uAP s e A r O %R G .dT ll\ dR sA kM \|Borland Delphi 3.0|F:\Packers\CoreDll \DUser\Release\ x86\hello- world.pdb||| ||93F6741259BC11CED457818 98623F9F0 26CA6AF15FF8273733A6A38 6A482357256AC4373A8641E 486FB646BC9C525AFA|ib t le T in s a E d iv n M o% ac ew .t \w sP xr % t \|Borland Delphi 4.0||11 16 67 .3.8 96 .|s e m r[.]cv v e n 6 r t 8 a 0 b [.]n 5 oi2 eo 6 t| ||A338B76B18FF23FE986FD8A D45B3F6FC 1A2CF862D210F6D0B85FBF7 1974F3E1FBE1D637E2EF81F 511EA64B55ED2423C7|dM o c D xy c .lno ku m e n t .||||| ||74D9E996D978A3C53C9C97 4A144A6B37 F889D2358EEC85212659B0D 273E5E892E610E114C990BF DE93C9D607D85F58B0|Stage-1 HTA|||11 29 92 .2.1 18 . :4 45 3|sfi un ltc inr u g c o [.]init n| **MD5** ----- |Col1|Col2|Col3|Col4|Col5|Col6|Col7| |---|---|---|---|---|---|---| |Older files|MD5 SHA256|File Description Stage-1 HTA embedded module 'hta.dll'|File Info Portable Executable 32 .NET Assembly|PDB Strings G:\AT\Pkgs\Pkgs\ Project\3-hta (hta1)_new_path\ hta\obj\Debug\ hta.pdb|IP|Domains| ||3B07961844D8235C1F40C12 28299B5D7 234DEFC7E28089CE8114190 7CEB16F3C80B12B6C19A451 6D97F049EC66AF633D|Stage-2 HTA %PROGRAM DATA%\adobe\ tmphta.hta||||| |||Stage-2 HTA embedded module 'preBotHta.dll'|Portable Executable 32 .NET Assembly|D:\C\Proj\preBot Hta_new\preBot Hta\obj\Debug\ preBotHta.pdb||| ||C926AF149B4A152403D0955 E0ED9AC5F 9D7EDFA9834F4C5B5B35C04 C7906993C330FC0A29382A6 9F9601793211CCF253|D u s e r .d ll|Microsoft Visual C++ 8.0 (Debug)|D:\C\Proj\DUser\ Debug\x86\ hello-world.pdb||| ||DE3CB976504716C7E2689C6 96CAB2075 8B11DB3A20F447B31CFC6A 6AF626C037B8F77ED0F96F 7210F9D58A21F83E6EDA|w in m s .e x e|Borland Delphi 4.0||21 27 43 .1.2 11 02 .|| ||909DB7C009BFAC6793D6C2 5E82188BCD 43D469F38545B63389712EB A636E87AD483308EB6CE609 C1117A2FDDDCEFE1A2|w in m s .e x e|Borland Delphi 4.0||21 27 43 .1.2 11 02 .|| ||E61B7D68E7E2F33A09CBA6 8DF04FE78E 1E36DC2D6CA94E14DC7AC C7C183D1CCA3E05D6F0181 3C9A1918EF99F9CAAE693|S t a g e -2 H T A||||| |||'p t m r a m o e g b d B e e u o d t -2 lee d H e H t T a dS A .d ll'|Portable Executable 32 .NET Assembly|D:\Pkgs\Project\ Standalone_HTA_ With_Startup_Path \Project\preBotHta \obj\Debug\ preBotHta.pdb||| ||41FE9857A47D37CE7B69C8 15E55A14D5 38A5E825577B51EEFE4C571 D29B34713B4FD2A2B09A01 3DF4803110D5CE553E8|sihostt.exe|Borland Delphi 4.0||91 14 .2 .9 34 61 .|cdmh la x sd ax nf sshp ic / s a t l/[.]n e t [.]:/ /o| **MD5** ----- ### References: https://github.com/mdsecactivebreach/CACTUSTORCH https://github.com/tyranid/DotNetToJScript https://github.com/Cn33liz/StarFighters https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cactustorch-fileless-threat-abuse s-net-to-infect-victims/ https://volon.io/2020/08/20/indian-government-sso-platform-parichay-used-as-lure-to-tar get-govt-agencies/ https://medium.com/@Sebdraven/copy-cat-of-apt-sidewinder-1893059ca68d https://securelist.com/transparent-tribe-part-2/98233/ https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF -----