Updated: Jul 20
Identifying Connected Infrastructure and Management Activities
This blog post seeks to build on recent public reporting on campaigns attributed to SideCopy, a Pakistani-linked threat group. SideCopy has been active since 2019, primarily targeting South Asian countries, with a focus on India and Afghanistan. The group's name comes from its use of an infection chain that mimics that of SideWinder APT, an Indian-linked threat group.
Some reports suggest that SideCopy may be a subdivision of Transparent Tribe (APT36), with similar tactics and techniques observed.
The S2 Research Team has blogged previously on the activities of Transparent Tribe:
In this post we share the discoveries of our S2 Threat Research Team after examining analysis by the Chinese cyber security company QiAnXin, published on 20 March 2023, which detailed a SideCopy attack chain used to deploy AllaKore RAT. AllaKore RAT is an open-source remote access tool which has been modified for the purposes of SideCopy operations, and is commonly observed in their intrusions.
Identification of additional malware samples and C2 infrastructure associated with SideCopy targeting of the Indian Ministry of Defense
Evidence of management activity sourced from mobile IPs located in Pakistan, centered around a key IP address (22.214.171.124) connected to SideCopy’s use of Action RAT
Further credence provided to the assessment that SideCopy is a Pakistani-linked threat actor group, involved state-level espionage activities
India in the Crosshairs
As discussed in the analysis by QiAnXin, spear phishing was used as the initial delivery method for this campaign. Examining the lures involved, the targets appear to be users in India, specifically in the Ministry of Defence.
Figure 1: Example PDF Lure (https://twitter.com/jaydinbas/status/1629149627848044550)
In a bid to further understanding of this campaign, we will not seek to repeat analysis of the infection chain. Instead we will focus on the two tools which were ultimately dropped, examining threat telemetry surrounding their associated command and control (C2) infrastructure.
DUser.dll (Action RAT)
The first tool, identified as Action RAT in analysis by Cyble, is dropped onto the victim machine alongside a benign executable which is used to sideload it, in order to avoid detection. Action RAT’s capabilities include the ability to receive commands from the C2 server, to retrieve information from the victim machine, to execute further payloads, and to upload information back to the C2.
We found two samples of Action RAT (loaded as DUser.dll), including the sample analyzed by Cyble.
Cyble Sample Stage 1: feeadc91373732d65883c8351a6454a77a063ff5 (DRDO - K4 Missile Clean room.pptx.lnk) C2: www.cornerstonebeverly[.]org Action RAT: 3c4c8cbab1983c775e6a76166f7b3c84dde8c8c5 (DUser.dll) C2: 126.96.36.199:8080 (Contabo GmbH)
Sample Two Stage 1: 0d68a135b1f4be18481cf44ed02bcbf82aeb542e (Cyber Advisory - Profiles (Pic and Mob No) of PIOs.docx.lnk) C2: www.kwalityproducts[.]com Action RAT: cb031561fd76643885671922db7d5b840060334d (DUser.dll) C2: 188.8.131.52:8080 (Contabo GmbH)
Examining threat telemetry for the two C2 IPs 184.108.40.206 and 220.127.116.11 we observed initial victim connections on 06 February 2023 and 15 March 2023 respectively.
In total we observed 18 distinct victims, all located in India, connecting to the C2 servers - highlighting the targeted nature of the campaign.
Further to this activity we also observed 37 distinct IPs (again all located in India) connecting to 18.104.22.168:9468 in activity which commenced on 07 January 2023. Of the 37 IPs, two were observed connecting to the Action RAT port (TCP/8080).
We were unable to identify a sample talking to TCP/9468 of 22.214.171.124, however we would hypothesize that this IP was used for C2 communications with another tool associated with SideCopy activities.
Examining outbound activity from 126.96.36.199 and 188.8.131.52, we observed connections from 184.108.40.206 to 220.127.116.11:82 (IMMEDION, US). Whilst 18.104.22.168 is assigned to an American provider, WHOIS data places it in Pakistan.
Further examining connections to 22.214.171.124:82, we observed communications sourced from 17 distinct IPs assigned to Pakistani mobile providers and four Proton VPN nodes during the period of interest.
All of the Proton VPN nodes and all but three of the Pakistani mobile IPs were also observed connecting to 126.96.36.199:3389 within the same time period. Port 3389 (RDP) is often observed open on SideCopy (and Transparent Tribe) C2 servers, and is believed to be utilized for management purposes by the threat actors.
These findings are therefore indicative of management of 188.8.131.52 by actors likely located in Pakistan, in addition to actors unknown accessing via Proton VPN infrastructure.
Examining the communications sourced from the Pakistani mobile IPs, to 184.108.40.206:82 and 220.127.116.11:3389, we can start to build a general pattern of life, illustrated in Figure 2 below.
Figure 2: Pattern of Life for Management of 18.104.22.168
The timings in Figure 2 shown above are based on UTC, which is 5 hours behind Pakistan Standard Time. Therefore, Figure 2 demonstrates that management of 22.214.171.124 occurs between Monday to Saturday, from roughly 10AM to 7PM - with some exceptions on Thursdays.
These data points are potentially indicative of the threat actors accessing their infrastructure within a typical working week cadence, suggesting that management is undertaken professionally.
Finally, when analyzing threat telemetry data for 126.96.36.199, we also observed inbound connections to TCP/8080 and TCP/9467 sourced from IP addresses assigned to Indian providers. TCP/9467 is noteworthy given its similarity to the activity observed on 188.8.131.52:9468 which we assess to be indicative of SideCopy C2 communications.
The findings in this section derived from threat telemetry data are summarized below in Figure 2.
Figure 3: Threat Telemetry Data Associated with the Action RAT C2s
According to QiAnXin’s analysis, DUser.dll is also used to load and execute a version of AllaKore RAT, which is dropped on the victim machine via separate infrastructure. AllaKore RAT’s capabilities include functionality which allows for keylogging, screenshotting, and remote access of the victim machine, with an ability to also upload stolen information to the C2 server.
We found two samples of AllaKore RAT, both of which were referenced by QiAnXin.
Sample One Dropped via: f369ee5fc8dcf5a9e95d85dadff5a095a0e3a760 (hta.dll) C2: www.kcps[.]edu[.]in AllaKore RAT: ea844939dc428e6fdb6624d717d0286e4dcae9b1 (simsre.exe) C2: 184.108.40.206:9921
Sample Two Dropped via: f369ee5fc8dcf5a9e95d85dadff5a095a0e3a760 (hta.dll) C2: www.kcps[.]edu[.]in AllaKore RAT: 972d85b5736ae8bdf06a9d74f2a3356829ce2095 (sicsmdb.exe) C2: 220.127.116.11:9134
Examining threat telemetry data for the two C2 IPs 18.104.22.168 and 22.214.171.124 we observed initial victim connections on 06 January 2023 and 22 February 2023 respectively.
In total we observed 236 distinct victims, all located in India, connecting to the C2 servers. When compared to the victim numbers for the Action RAT C2s, it could be assessed that AllaKore RAT is deployed more widely and via other means outside of the scope of the infection chain described by QiAnXin.
Further to this activity we also observed 455 distinct IPs (again all located in India) connecting to 126.96.36.199:7439 and 188.8.131.52:7469 in activity which commenced at the same time as the activity on the ports associated with the AllaKore RAT samples.
We were unable to identify samples talking to TCP/7439 of 184.108.40.206 and TCP/7469 of 220.127.116.11, however as previously we would hypothesize that this IP was used for C2 communications with another tool associated with SideCopy activities.
In this blog post we have sought to illustrate the following points:
We have good evidence to demonstrate this particular SideCopy campaign, highlighted first by others in the industry, was successful in targeting Indian users. This finding is based on observations within our threat telemetry data, indicating victim connections to the C2 servers.
Victim activity predated the public reporting of this campaign, in some cases by several months. This continues to support the statistics about attacker dwell time, and highlights the importance of retrospective analysis of data logs.
There is specific evidence to demonstrate that the Action RAT infrastructure, connected to SideCopy, is managed by users accessing the Internet from Pakistan.
Pivots on known threat actor infrastructure can lead to the identification of further, previously unknown infrastructure, in addition to hints at attribution and management.
We would recommend that cyber defenders, particularly those located in countries / regions which SideCopy operations are known to target, use the IOCs mentioned in this blog to hunt against their own data holdings (including historical logs), and to preemptively block malicious activity.
Users of Pure Signal Recon can examine this campaign by querying against the domains and IP addresses referenced in the IOC section below. Further pivots into other currently unknown infrastructure may be possible as this threat actor undertakes future campaigns.
Indicators of Compromise
Malware Hashes (SHA1)
IP Addresses (with port pairings 🍷)