CyberWire Daily - SideCopy malware campaigns expand and evolve. [Research Saturday]
Episode Date: August 7, 2021Guest Asheer Malhotra, Threat Researcher of Cisco Talos Intelligence Group, joins Dave to discuss his team's research "InSideCopy: How this APT continues to evolve its arsenal." Cisco Talos has observ...ed an expansion in the activity of SideCopy malware campaigns, targeting entities in India. In the past, the attackers have used malicious LNK files and documents to distribute their staple C#-based RAT. We are calling this malware "CetaRAT." SideCopy also relies heavily on the use of Allakore RAT, a publicly available Delphi-based RAT. Recent activity from the group, however, signals a boost in their development operations. Talos has discovered multiple new RAT families and plugins currently used in SideCopy infection chains. Targeting tactics and themes observed in SideCopy campaigns indicate a high degree of similarity to the Transparent Tribe APT (aka APT36) also targeting India. These include using decoys posing as operational documents belonging to the military and think tanks and honeytrap-based infections. The research can be found here: InSideCopy: How this APT continues to evolve its arsenal blog post InSideCopy: How this APT continues to evolve its arsenal report Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello everyone and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
So as part of our proactive hunting processes, we usually keep tabs on the different types of
malicious files that we see out in the field, you know, in our telemetry, out on public repositories.
And that's how we got the initial lead for this specific APT and the specific infection chains and the related malware.
That's Ashir Malhotra from Cisco Talos.
The research we're discussing today is titled Inside Copy, How This APT Continues to Evolve Its Arsenal.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Well, let's dig into some of the details here. Can we start off with just an overview of exactly
what it is we're talking about here and the types of things that they do?
is we're talking about here and the types of things that they do? Sure. So our research focuses on a group called Side Copy. This is a group that focuses primarily on the Indian subcontinent with
a very heavy focus on India and Afghanistan and a little bit of focus on Pakistan as well.
This is a group that primarily targets government entities, specifically military personnel and diplomatic personnel.
And then we've seen a few civil servants,
traditional government employees being targeted as well.
This group tries to carry out espionage
using a variety of different malware
and accompanying plugins as well.
And that's what this whole white paper is all about.
That's what our whole research is
all about. We basically tear apart the entire arsenal of this APT group and, you know, we talk
about it and we present it. Well, let's walk through it together. Maybe let's go through
from start to finish here. I mean, let's say I'm one of those folks that they're trying to target. How would I find myself initially compromised?
So usually you'll get an email in your inbox
which contains a malicious Windows link,
a malicious link file or a malicious shortcut.
Or you'll get a link to the actual malicious shortcut file
and they're basically trying to social engineer you
into opening that
specific file. Once you open up that file, what follows is a very convoluted chain of
infection consisting of different types of HTA files, different types of loader DLLs,
ultimately resulting in a remote access Trojan, which is a rat being deployed on your computer or on your system or your endpoint.
And that's the whole infection process as a whole.
They put a lot of effort into social engineering because, you know,
they have to entice users into opening up their malicious files,
which is why we see different types of themes that are related to military and diplomatic and, you know,
something that piques your interest and tricks you into infecting yourself. So we feel as though they're being fairly successful on the social engineering
end of things. Yeah, they use a variety of themes. So basically the way this infection works is that
when you open up a malicious shortcut file during the infection process, they display a decoy document to you or a decoy picture to you.
And that document usually pertains to a military topic or a diplomatic topic.
And that's how we feel that they're targeting specific personnel in the military and the diplomatic community as well in certain geographies.
and the diplomatic community as well in certain geographies.
So meanwhile, behind the scenes, while this RAT is being deployed, what's going on there?
How are they able to allow that to get its purchase on your system?
Yeah, so it starts with the malicious shortcut file, right? And the malicious shortcut file basically goes out and downloads something called an HDA file.
It's an html application this is kind of like an html file but it can be opened using a native windows application that
is not a web browser and they can use that malicious hda file which can contain different
types of scripts you know subscripts in them like j JavaScript or VBScript. And these files are hosted on an attacker-controlled website or an attacker-controlled IP address.
And that HTA file is what contains the actual rat payload, which is in turn, you know,
de-offiscated and then deployed onto the victim's endpoint.
So can you take us through the spectrum of different rats that they have
available to them, the various things they're looking to install and the capabilities there?
Right. So primarily they rely on two types of rat families, which are their go-to rat families.
The first one is SataRat and the second one is AlacorRat Sata rat is a custom rat that they built in-house.
They use the C sharp programming language and it's basically a.NET based rat family.
The second rat that they use is called Alacor.
It's a commodity rat.
It's been available out in the wild.
The source code for it has been available out in the wild for quite some time now.
This is a Delphi based rat family and we've seen that Satorat and Alicorat have
increasingly been deployed by these threat actors since their discovery in 2019. Other than these
two primary rat families, we've also found four new custom rat families. We found Datarat, which
is another C-sharp Sharp based custom rat family.
We named it DataRat because I'm very bad at naming rats.
And then we found ReverseRat, we found MargulisRat,
and then we found another one that's called ActionRat.
So ActionRat is a rat family that is also Delphi based,
and it's also C Sharp based.
There's two versions that they maintain.
If you just take a preliminary glance at it, it looks like Alaco rat, but it's really not Alaco rat. It's completely different. And this is a new rat family that we found being used by
the attackers. Other than the four custom rat families, we also found three new commodity
rats being used by the attackers. One is called
Lilith, one is called Epicenter rat. Both of these rat families are not very
popular but they've been available out in the wild for a long time. These are
commodity rats, the source code is available online and you know attackers
usually use commodity rats to throw off attribution you know so that they don't
have to develop stuff in-house that's one. The other, you know, attribution becomes difficult because these rat families,
commodity rat families are used by crimeware syndicates and also by APT groups.
The third commodity rat family that we discovered was NJRAT.
And they've heavily started using this since the beginning of this year, since January 2021.
NJRAT family is a very popular RAT family.
There's a number of APT groups, there's a number of crimeware groups that have used NJRAT over the years since it became available out in the wild.
So yeah, it's basically two primary RAT families followed by four custom rat families and three commodity rat families.
Other than that, we also know that during the post-infection phase, you know, once they've deployed these rats and they've established a foothold on the system,
they will then start deploying plugins, which are independent, dedicated malware components that run mutually
exclusive of each other on the system to serve specific purposes. For example, we found different
types of file managers and file utilities that can be used to enumerate files and download files
and exfiltrate files. We found different types of credential stealers that steal credentials from
different kinds of web browsers, Firefox,
Chromium-based web browsers, Internet Explorer, etc. We also found a peculiar plugin which is
Golang-based. It's basically used for file enumeration, but it's also used to steal
specific types of database files that belong to a multi-factor authentication
application that is developed and operated by the government of India. And this is interesting
because they have a very heavy focus on stealing credentials. So these attackers basically try to
get database files that lets them access restricted networks or lets them access restricted email
boxes or lets them get into VPNs by using authentication.
That's one side of the coin here.
On the other hand, we've also seen the attackers set up fake login pages for the government
of India's webmail.
Basically, this is a page that masquerades as a legitimate login portal for your email
via the web browser.
And you enter your user ID and your password
and you basically end up divulging them,
these credentials to the attackers.
Based on their heavy focus on the credential stealing
and the heavy focus on the rats,
they want to access restricted networks
and restricted resources. And they want to establish that foothold. They want to maintain
persistent access into these networks and into these resources, which is basically, you know,
your typical espionage, you know, over the wire. Do you have any sense for how precise they're
being? In other words, are they targeting a specific rat and a specific set of plugins to specific people in specific positions?
So primarily they target military personnel and diplomatic entities. There are a few rats that we haven't seen being deployed yet, but we've discovered that there is a definitive link between side copy and the rats that we've disclosed in our research.
Other than that, it depends on the situation.
Like the rats are used to do preliminary reconnaissance, figure out whether the target is of value to them so that they can, you know, in turn deploy more rats and more plugins onto their endpoint and establish, you know, a more permanent foothold on the victim's computer
and in turn their restricted networks.
How noisy is this? If someone, for example, has endpoint protection running on their system,
is it likely that it's going to be flagged here?
Yes, so this will be flagged and detected, provided that you have proper cyber hygiene.
You restrict different types of file paths and you restrict different types of file behaviors and you detect different types of file behaviors.
Don't click or don't open files that you're not sure about, which is like security one on one.
If you're suspicious of something, don't open that.
But then yet again, you know, people't open that. But then yet again, people do open stuff.
We are all curious animals,
so people do end up getting infected.
Coupled with the right threat intelligence, however,
like the one we provide,
you can easily block this rat
if you follow proper guidelines of security.
And suppose someone has been infected with it,
are there methods by which they try to maintain persistence? It's primarily the rats. The reason
why they use a variety of rats is probably because they want to go undetected. And even
if one of their rat families is detected and disclosed, they can still rely on the other ones,
which is why they have this huge set of arsenal that they can deploy as and when they need.
And do we have any notion who's behind this?
We know that these guys are, you know, they primarily focus on the Indian subcontinent.
In terms of tactics, there is a very close resemblance to another APT group that's called Transparent Tribe.
The code name is also APT36 or Mythic Leopard.
This is another APT group that doesn't use the same infection chain.
It does. It has their own set of malware, completely different set of malware.
But the tactics that they use, both of these groups are very similar.
They target the same geographies. They use the same kind of layers. They use the same kind of malicious documents and the same kind of themes that both of these groups use. All we can say right now is that, you know, they have a very heavy focus on the Indian subcontinent.
Now, in terms of the various rats that they're deploying here, would a victim find themselves typically infected with a single rat or would they throw more than one at someone? Yes. So when they started out their infection
chains, they would primarily use a rat, just one rat family. And this was back in 2019.
Since 2019, you know, into 2020 and 2021, they have increasingly started deploying a combination of rats.
In more than one instance, we found the attackers deploy SATA rat and Alaco rat on the same
endpoint.
Then in another instance, we saw them deploy SATA rat and Action rat in one instance.
There were certain infection chains where the attackers would deploy multiple copies of Seder rat along with Alaco rat on the same endpoint.
It's a bit of an overkill, but it shows their commitment towards infecting their victims.
And it kind of shows overengineering as well, because their infection chains are highly modularized.
you know, because their infection chains are highly modularized. They're all over the place.
They don't need to be so modularized and they don't need to deploy so many rats on the endpoint at the same time. But it also shows their commitment, you know, as I said, to infect
their victims. Yeah, that's interesting. So to wrap up here, I mean, what are your
recommendations then? What are the best ways for folks to protect themselves against this sort of thing? Right. So I always say this with multiple, you know, multiple infection chains and multiple
rat families, it's very important to have a layered defense model. You know, you should have
protection over email, you should have protection over network, you should have protection over,
you know, the endpoint as well, etc, etc. So that, you know, you can catch and block these attacks at different stages of the infection chain, you know,
so that if you miss one, you can catch them during the other.
And that's what's really important.
You have to block these attacks because these are essentially, you know, government sponsored or they're motivated by national interests.
So they're highly dangerous groups
that are operating very dangerous malware, right?
They're not driven by profit, they're driven by espionage.
So it's very important to have a very layered defense model
so that you can protect yourself
across different attack surfaces, if I may say. our thanks to ashir maholtra for joining us the research is titled inside copy how this apt
continues to evolve its arsenal we'll have a link in the show notes. And now a message from Black Cloak. Did you know the easiest way for
cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home? Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland Learn more at blackcloak.io. Thanks for listening.