Threats and Connections uncovered related to Pakistani APTs Escalate Attacks on Indian Gov. -

Post Views: 937

Threats and Connections uncovered related to Pakistani APTs Escalate Attacks on Indian Gov.

Things are Escalating from the Pakistan Side, After the Pahalgam attack, they are intruding into the databases of the Indian Gov. Know, How?

Cyberattacks by APTs with linkages to Pakistan against Indian government organizations have accelerated recently. During telemetry analysis and field hunting, the Seqrite Labs APT team has found several similar campaigns.

Over the past few weeks, SideCopy, one such threat organization, has used its popular AllaKore RAT in three different campaigns, deploying two of these RATs simultaneously in each campaign.

Crimson RAT was continuously employed by its parent APT group, Transparent Tribe (APT36), during the same events, but either in an encoded or packed form. We were able to correlate these APTs based on their C2 infrastructure, demonstrating their sub-divisional relationship once more.

This blog provides an overview of these campaigns and explains how examining their prior attacks establishes a connection. One of the most targeted nations in the cyber threat scene is India, where new spear-phishing tactics like Operation RusticWeb and FlightNight have surfaced in addition to Pakistan-affiliated APT organizations like SideCopy and APT36 (Transparent Tribe).

Simultaneously, we have seen a rise in underground forums where initial access brokers are selling access to Indian entities (both government and corporate), high-profile ransomware attacks, and over 2900 disruptive attacks, including DDoS, website defacement, and database leaks, by more than 85 Telegram hacktivist groups in the first quarter of 2024.

Threat Actor Whereabouts

Since at least 2019, the Pakistan-affiliated Advanced Persistent Threat organization SideCopy has been attacking South Asian nations, mainly Indian government and defense organizations. Among its many tools are the Ares RAT, Action RAT, Margulas RAT, AllaKore RAT, and Reverse RAT.

The same persistent targeting is used by its parent threat group, Transparent Tribe (APT36), which updates its Linux malware arsenal frequently and has code similarities. Since it began operating in 2013, it has consistently employed payloads including Oblique RAT, Capra RAT, Eliza RAT, and Crimson RAT in its campaigns.

SideCopy

The same infection chain has so far been seen in three attack campaigns that use compromised domains to host payloads. Two customized versions of an open-source remote agent named AllaKore are deployed as the final payload rather than side-loading the Action RAT (DUser.dll) payload, as was previously observed.

Infection Steps

An archive file with a shortcut (LNK) in a double-extension format is the first step in spear-phishing.
When the LNK is opened, a remote HTA file hosted on a compromised domain is executed by the MSHTA process. Two base64-encoded embedded files—a DLL and a decoy—are present in the stage-1 HTA.
The decoy file is dropped and opened by the DLL, which is triggered to run in-memory. As was previously observed, the DLL generates several text files containing the name “Mahesh Chand” along with other arbitrary text.
To start its second stage, the DLL will thereafter download two HTA files from the same hacked domain.
This time, there are two DLLs and an EXE encoded in each HTA.
When one of the DLLs is run in-memory, the other two files are decoded and then dropped into the public directory. The Run registry key is used to set persistence on the final payload in advance. As an illustration:

REG ADD “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /V “issas” /t REG_SZ /F /D “C:\Users\Public\issas\issas.exe”

Finally, both of the AllaKore RAT final payloads are run and connected to the same IP address, but with distinct port numbers for C2 communication. The final DLL is an authentic, old file that isn’t side-loaded.

Our prior blogs and whitepapers provide a detailed examination of each step. It has distinct sockets for the desktop, files, and keyboard in addition to timeout, reconnection, and clipboard timers. AllaKore’s capabilities include:

Gathering system information
Enumerating files and folders
Upload and execute files
Keylogging
Steal clipboard data

Campaign-wise, the Delphi-based AllaKore RATs have the following information:

Campaign	Internal Name	Compiler Timestamp
1.	msmediaGPview msmediarenderapp	06-Mar-2024
2.	msvideolib msrenderapp	18-Mar-2024
3.	msvideolib msrenderapp	01-Apr-2024

To determine that the connection is active, the RAT first sends and receives ping-pong commands while listening to the C2 for orders. The network traffic below demonstrates how the two RAT payloads operate in tandem, enhancing one another.

Additionally, they differ in size: Double Action RAT is 3.2 MB, while the other nearly doubles to 7 MB. For every instance, a connection ID is generated using the system data.

List of encrypted strings used in smaller payloads for C2 communication:

S.No.	Encrypted	Decrypted
1.	7oYGAVUv7QVqOT0iUNI	SocketMain
2.	7oYBFJGQ	OK
3.	7o4AfMyIMmN	Info
4.	7ooG0ewSx5K	PING
5.	7ooGyOueQVE	PONG
6.	7oYCkQ4hb550	Close
7.	7oIBPsa66QyecyD	NOSenha
8.	7oIDcXX6y8njAD	Folder
9.	7oIDaDhgXCBA	Files
10.	7ooD/IcBeHXEooEVVuH4BB	DownloadFile
11.	7o4H11u36Kir3n4M4NM	UploadFile
12.	Sx+WZ+QNgX+TgltTwOyU4D	Unknown (Windows)
13.	QxI/Ngbex4qIoVZBMB	Windows Vista
14.	QxI/Ngbex46Q	Windows 7
15.	QxI/Ngbex4aRKA	Windows 10
16.	QxI/Ngbex4KTxLImkWK	Windows 8.1/10

The AllaKore agent has been integrated with several file actions, such as create, delete, execute, copy, move, rename, zip, and upload. The larger payload contained these orders.

The DLL files that are discarded are genuine files that might be used maliciously in the future and are not sideloaded by the AllaKore RAT. Only a small number of these libraries have a legitimate signature, despite being connected to Microsoft Windows.

S.No.	Dropped DLL Name	PDB	Description	Compilation Timestamp
1.	msdr.dll	Windows.Management.Workplace.WorkplaceSettings.pdb	Windows Runtime WorkplaceSettings DLL	2071-08-19
2.	braveservice.dll	dbghelp.pdb	Windows Image Helper	2052-02-25
3.	salso.dll	D3d12core.pdb	Direct3D 12 Core Runtime	1981-03-18
4.	salso.dll	OrtcEngine.pdb	Microsoft Skype ORTC Engine	2020-01-07
5.	salso.dll	msvcp120d.amd64.pdb	Microsoft® C Runtime Library	2013-10-05
6.	FI_Ejec13234.dll	IsAppRun.pdb	TODO:<>	2013-10-15

Decoys

One of the two decoy files that have been seen was utilized in earlier attacks in February and March of 2023. The document’s date, “21 December 2022,” has been deleted, and the bait’s name, “Grant_of_Risk_and_HardShip_Allowances_Mar_24.pdf,” has been modified to reflect March 2024.

As the name implies, it is a 2022 advisory on allowance payments to Indian Ministry of Defense Army officers. Two of the three campaigns make use of this.

The second deception refers to payment in arrears form and is associated with the same allowance type. This is another ancient document that was utilized in the past; it was created on January 19, 2023.

Attribution and Infrastructure

As demonstrated by the passive DNS replication since last year, the compromised domains resolve to the identical IP addresses that were utilized in earlier campaigns.

S.No.	IP	Compromised Domain	Campaign
1.	151.106.97[.]183	inniaromas[.]com ivinfotech[.]com	November 2023
		revivelife.in	March 2024
		vparking[.]online	April 2024
2.	162.241.85[.]104	ssynergy[.]in	April 2023
		elfinindia[.]com	May 2023
		occoman[.]com	August 2023
		sunfireglobal[.]in	October 2023
		masterrealtors[.]in	November 2023
		smokeworld[.]in	March 2024

AllaKore RAT’s C2 servers, which SideCopy frequently uses, are registered in Germany under AS51167- Contabo GmbH. These campaigns are ascribed to SideCopy, which has a high degree of confidence and employs comparable infrastructure to spread the infection, based on the attack chain and armament employed.

164.68.102[.]44	vmi1701584.contaboserver.net
213.136.94[.]11	vmi1761221.contaboserver.net

The telemetry hits for each of the three SideCopy campaigns associated with AllaKore RAT are shown in the following chart. While the third campaign is shown in the second week of April, the first two campaigns show a surge twice in March.

Open Tribe

The VirusTotal platform frequently displays a large number of Crimson RAT samples, with a detection rate of 40–50. We have discovered new samples in our threat hunting, although we haven’t detected many.

The Crimson RAT samples are not integrated directly within the maldocs as they typically are, according to our analysis of the infection chain to look for any modifications. This time, there were three items in the XLAM form of the maldoc: the base64-encoded blobs and the decoy.

Additional functions for reading a file, decoding base64, and converting binary to a string are visible after extracting the VBA macro. The two base64 blobs that are embedded inside the maldoc are read and decoded by the macro. This opens the decoy file and includes archived Crimson RAT executed samples.

Crimson RAT

The same functionality is present in the final RAT payloads, which use 22 instructions for C2 connection. We observe a low rate for both of these samples, whereas the detection rate for this Crimson RAT is normally high.

The PDB for these .NET examples is “C:\New folder\mulhiar tarsnib\mulhiar tarsnib\obj\Debug\mulhiar tarsnib.pdb,” and their compilation timestamp is 2024-03-17.

When the C2 commands and the process flow were examined together, no significant changes were found. 204.44.124[.]134 is the C2’s IP address, and it attempts to establish a connection using five distinct ports: 9149, 15597, 18518, 26791, and 28329.

The C2 instructions for a few recent samples (compile-timestamp-wise) of Crimson RAT, which employ comparable 22–24 commands, are listed below. Except for the final two, none of these are packed, and they are all in the same size range (10–20 MB).

Similarity with prior samples is consistently greater than 75%, as demonstrated by BinDiff. Only by adding numbers or dividing the command into two did the RAT detect changes in the order of the command it interpreted.

Additionally, two new samples called “ShareX” and “Analytics Based Card” were discovered after being obfuscated using Eziriz’s .NET Reactor. In the past, APT36 has employed a variety of packers and obfuscators, including ConfuserEx, Crypto Obfusator, and Eazfuscator.

In contrast to the previous iteration, the obfuscated ones have 40 commands, while the conventional ones have 22–24 commands as usual. In this instance, the C2, juichangchi[.]online, is attempting to establish a connection with four ports: 909, 67, 65, and 121.

Although some of these C2 instructions are not yet functioning, they resemble the ones that Proofpoint initially disclosed. Our earlier APT36 whitepaper contains a list of all 22 commands and their functions.

Decoys

India’s Directorate General of Mines Safety, or DGMS, is contained in the malicious document titled “Imp message from dgms.” The counterfeit document’s numerous references to military or defense-related land and urban policy demonstrate its deliberate targeting of the Indian government. Despite being empty, the “All details” maldoc contains the heading “Posting list.”

Crimson Keylogger

Recently, a malicious .NET file with the compilation timestamp 2023-06-14 was discovered. It has a PDB naming scheme similar to Crimson RAT. After analysis, a keylogger payload was created that records every keystroke.

PDB: e:\vdhrh madtvin\vdhrh madtvin\obj\Debug\vdhrh madtvin.pdb

It gathers the name of the active process in the foreground, in addition to recording every keystroke and saving it to a file. Clipboard data is also copied to the storage file, and toggle keys are recorded independently and according to key combinations.

Correlation

Based on the domain that Transparent Tribe uses as C2, we pivot to observe passive DNS replications of the domain using Virus Total and Validin, which is comparable to the code overlaps previously observed between SideCopy and APT36 in Linux-based payloads.

The timeline below shows when the C2 for the two packed samples mentioned above went live. They resolved to distinct IPs, 176.107.182[.]55 and 162.245.191[.]214.

Two more IP addresses, 155.94.209[.]4 and 162.255.119[.]207, are also obtained in this way. While the latter is not linked to new malware, the former is connected with a payload that has only 7/73 detections on Virus Total.

With a build timestamp of 2039-02-24, the malware appears to be another .NET Reactor-packed payload; however, it is smaller (6.55 MB) than the Crimson RAT payloads.

The sample’s default name, “Kuchbhi.pdb,” is an Indian term that might signify anything. Following deobfuscation, C2 commands resemble the Delphi-based AllaKore RAT used by SideCopy mentioned above. This time, though, it’s in a .NET form and has the five commands listed below:

C2 Command	Function
LIST_DRIVES	Obtain and transmit a list of the machine’s drives.
LIST_FILES	List all of the files and folders in the specified path.
UPLOAD_FILE	Download and run the file.
PING	Sending PONG for live status while listening to C2
getinfo	Provide your OS details, machine name, and username.

There are two methods to set persistence: using the starting directory or the registry key. SideCopy’s Linux-based Ares RAT stager payload and Transparent Tribe’s Linux-based Python malware, Poseidon, and other desktop tools were determined to have similar code usability. Similar code overlaps and potential C2 infrastructure sharing between the two groups are evident here. Since its discovery in 2019, SideCopy has been linked to the Action RAT payload and the open-source AllaKore RAT. Likewise, Crimson RAT is associated with being an internal APT36 toolkit.

Infrastructure and Attribution

The identical target names that were previously utilized by APT36 were found to be operating Windows Server 2012 and 2022 versions on the C2.

S.No.	IP	ASN	Organization	Country	Name
1.	204.44.124[.]134	AS8100	QuadraNet Inc	United States	WIN-P9NRMH5G6M8
2.	162.245.191[.]214	AS8100	QuadraNet Inc	United States	WIN-P9NRMH5G6M8
3.	155.94.209[.]4	AS207083	Quadranet Inc	Netherlands	WIN-P9NRMH5G6M8
4.	176.107.182[.]55	AS47987	Zemlyaniy Dmitro Leonidovich	Ukraine	WIN-9YM6J4IRPC

These operations are confidently linked to both APT36 and SideCopy groups based on this correlation and prior attack chains, demonstrating yet another close relationship between them.

Conclusion

APT organizations with ties to Pakistan have persisted in targeting the Indian government and defense institutions, and new activities have surfaced posing comparable risks. In contrast to its parent group, Transparent Tribe (APT36), which consistently uses Crimson RAT, T, and makes modifications to avoid detection, SideCopy has used its well-known AllaKore RAT in several missions.

India will undoubtedly continue to be targeted as the threat landscape changes as a result of numerous geopolitical events, including the Israel-Iran war. It is advised that people adopt the appropriate safety measures and remain safe in the face of rising cybercrime as India prepares for its next election.

Seqrite Protection

48519
48674.GC
48761.GC
S30112905
SideCopy
48760.GC
Crimson

IOCs

SideCopy

HTA

6cdc79655e9866e31f6c901d0a05401d	jfhdsjfh34frjkfs23432.hta
dbf196ccb2fe4b6fb01f93a603056e55	flutter.hta
37b10e4ac08534ec36a59be0009a63b4	plugins.hta
d907284734ea5bf3bd277e118b6c51f0	bjihfsdfhdjsh234234.hta
2a47ea398397730681f121f13efd796f	plugins.hta
6ab0466858eb6d71d830e7b2e86dab03	flutter.hta
ecc65e6074464706bb2463cb74f576f7	4358437iufgdshvjy5843765.hta
da529e7b6056a055e3bbbace20740ee9	min-js.hta
cadafc6a91fc4bba33230baed9a8a338	nodejsmin.hta

Embedded DLL

1e5285ee087c0d73c76fd5b0b7bc787c	hta.dll
f74c59fd5b835bf7630fbf885d6a21aa	hta.dll
3cc6602a1f8a65b5c5e855df711edeb0	hta.dll
990bfd8bf27be13cca9fa1fa07a28350	SummitOfBion.dll
29fa44d559b4661218669aa958851a59	SummitOfBion.dll
26bde2d6a60bfc6ae472c0e9c8d976e2	SummitOfBion.dll
eceb986d166526499f8f37fd3efd44db	SummitOfBion.dll
2a680cf1e54f1a1f585496e14d34c7e9	SummitOfBion.dll

AllaKore RAT

76ca50a71e014aa2d089fed1251bf6cd	issas.exe
71b285c8903bb38d16d97c1042cbeb92	quick.exe
9684bf8955b348540446df6b78813cdb	cove.exe
48e1e695258a23742cd27586e262c55a	salso.exe
4ba7ca56d1a6082f0303f2041b0c1a45	cove.exe
6cda3b5940a2a97c5e71efcd1dd1d2ca	FI_Ejec1.exe

Decoys

30796f8fb6a8ddc4432414be84b8a489

8740d186877598297e714fdf3ab507e9

Grant_of_Risk_and_HardShip_Allowances_Mar_24.pdf

DLL

abeaa649bd3d8b9e04a3678b86d13b6b	msdr.dll
b3a5e819e3cf9834a6b33c606fc50289	braveservice.dll
312923e0baf9796a846e5aad0a4d0fb6	salso.dll
1d7fc8a9241de652e481776e99aa3d46	salso.dll
760ff1f0496e78d37c77b2dc38bcbbe4	salso.dll
fa5a94f04e684d30ebdc4bf829d9c604	FI_Ejec13234.dll

Compromised Domains

revivelife[.]in	151.106.97[.]183
smokeworld[.]in	162.241.85[.]104
vparking[.]online	151.106.97[.]183

C2 and Ports

164.68.102[.]44	6663, 9828
213.136.94[.]11	6663, 7880

URLs

hxxps://revivelife[.]in/assets/js/other/new/
hxxps://revivelife[.]in/assets/js/other/new/jfhdsjfh34frjkfs23432.hta
hxxps://revivelife[.]in/assets/js/other/grant/
hxxps://revivelife[.]in/assets/js/other/grant/32476sdfsdafgsdcsd3476328.hta
hxxps://revivelife[.]in/assets/js/support/i/index.php
hxxps://revivelife[.]in/assets/js/support/c/index.php
hxxps://smokeworld[.]in/wp-content/plugins/header-footer-show/01/
hxxps://smokeworld[.]in/wp-content/plugins/header-footer-show/01/bjihfsdfhdjsh234234.hta
hxxps://smokeworld[.]in/wp-content/plugins/header-footer-other/intro/index.php
hxxps://smokeworld[.]in/wp-content/plugins/header-footer-other/content/index.php
hxxps://vparking[.]online/BetaVersion/MyDesk/assets/fonts/account/show/index.php
hxxps://vparking[.]online/BetaVersion/MyDesk/assets/fonts/account/show/4358437iufgdshvjy5843765.hta
hxxps://vparking[.]online/BetaVersion/MyDesk/plugins/quill/support/intro/
hxxps://vparking[.]online/BetaVersion/MyDesk/plugins/quill/support/content/index.php

Host

C:\ProgramData\HP\flutter.hta
C:\ProgramData\HP\plugins.hta
C:\ProgramData\HP\min-js.hta
C:\ProgramData\HP\nodejsmin.hta.hta
C:\Users\Public\quick\quick.exe
C:\Users\Public\quick\msdr.dll
C:\Users\Public\quick\quick.bat
C:\Users\Public\issas\issas.exe
C:\Users\Public\issas\braveservice.dll
C:\Users\Public\issas\issas.bat
C:\Users\Public\cove\cove.exe
C:\Users\Public\cove\salso.dll
C:\Users\Public\cove\cove.bat
C:\Users\Public\salso\salso.exe
C:\Users\Public\salso\salso.dll
C:\Users\Public\salso\salso.bat
C:\Users\Public\FI_Ejec1\FI_Ejec1.exe
C:\Users\Public\FI_Ejec1\FI_Ejec1324.dll
C:\Users\Public\FI_Ejec1\FI_Ejec1.bat

APT36

Maldoc

f436aa95838a92b560f4cd1e1c321fe7	All details.xlam
afb24ec01881b91c220fec8bb2f53291	Imp message from dgms.xlam

Base64-zipped Crimson RAT

7bb8f92770816f488f3a8f6fe25e71a7	oleObject1.bin
303b75553c5df52af087b5b084d50f98	oleObject2.bin

Crimson RAT

898df40a8f2a6702c0be059f513fab9d	mulhiar tarsnib.exe
e3cf6985446cdeb2c523d2bc5f3b4a32	mulhiar tarsnib.exe
bb5b569b38affb12dfe2ea6d5925e501	ShareX.exe
7cdc81a0f5c5b2d341de040a92fdd23a	Analytics Based Card.exe
81b436873f678569c46918862576c3e0	vdhrh madtvin.exe (keylogger)

AllaKore RAT (.NET)

e291fffbcb4b873b76566d5345094567	Mailbird.exe

Decoys

9d337c728c92bdb227055e4757952338	All details.xlam.xlsx
d7b909f611e8f9f454786f9c257f26eb	Imp message from dgms.xlam.xlsx

C2 and Ports

204.44.124[.]134

9149, 15597, 18518, 26791, 28329

juichangchi[.]online

176.107.182[.]55

162.245.191[.]214

909, 67, 65, 121

155.94.209[.]4

8888, 9009, 33678

Host

C:\Users\<name>\Documents\mulhiar tarsnib.scr
C:\Users\<name>\AppData\Meta-<number>\
C:\Users\<name>\AppData\mulhiar tarsnib.scr\mulhiar tarsnib.png

MITRE ATT&CK

S.No.	Tactic	Technique ID	Name
1.	Resource Development	T1583.001	Acquire Infrastructure: Domains
		T1584.001	Compromise Infrastructure: Domains
		T1587.001	Develop Capabilities: Malware
		T1588.001	Obtain Capabilities: Malware
		T1588.002	Obtain Capabilities: Tool
		T1608.001	Stage Capabilities: Upload Malware
		T1608.005	Stage Capabilities: Link Target
2.	Initial Access	T1566.001	Phishing: Spear phishing Attachment
2.	Initial Access	T1566.002	Phishing: Spear phishing Link
3.	Execution	T1106	Native API
		T1129	Shared Modules
		T1059	Command and Scripting Interpreter
		T1047	Windows Management Instrumentation
		T1204.001	User Execution: Malicious Link
		T1204.002	User Execution: Malicious File
4.	Persistence	T1547.001	Registry Run Keys / Startup Folder
5.	Defense Evasion	T1027.010	Command Obfuscation
		T1036.005	Masquerading: Match Legitimate Name or Location
		T1036.007	Masquerading: Double File Extension
		T1140	Deobfuscate/Decode Files or Information
		T1218.005	System Binary Proxy Execution: Mshta
		T1574.002	Hijack Execution Flow: DLL Side-Loading
		T1027.009	Obfuscated Files or Information: Embedded Payloads
		T1027.010	Obfuscated Files or Information: Command Obfuscation
6.	Discovery	T1012	Query Registry
		T1033	System Owner/User Discovery
		T1057	Process Discovery
		T1083	File and Directory Discovery
		T1518.001	Software Discovery: Security Software Discovery
7.	Collection	T1005	Data from Local System
		T1056.001	Input Capture: Keylogging
		T1074.001	Data Staged: Local Data Staging
		T1119	Automated Collection
		T1113	Screen Capture
		T1125	Video Capture
8.	Command and Control	T1105	Ingress Tool Transfer
		T1571	Non-Standard Port
		T1573	Encrypted Channel
		T1071.001	Application Layer Protocol: Web Protocols
9.	Exfiltration	T1041	Exfiltration Over C2 Channel

About The Author

Suraj Koli is a content specialist with expertise in Cybersecurity and B2B Domains. He has provided his skills for the News4Hackers Blog and Craw Security. Moreover, he has written content for various sectors of business, Law, Food and beverage, Entertainment, and many others. Koli established his center of the field in an amazing scenario. Simply said, he started his career selling products, where he enhanced his skills in understanding the product and the point of view of clients from the customer’s perspective, which simplified his journey in the long run. It makes him an interesting personality among other writers. Currently, he is a regular writer at Craw Security.