Keypoints
- Initial delivery: spear-phishing lures were used to deliver payloads to targets in India, including Ministry of Defence users.
- Primary payloads observed: Action RAT (loaded as DUser.dll via DLL sideloading) and a modified AllaKore RAT (simsre.exe / sicsmdb.exe).
- Action RAT C2 examples: 144.91.72.17:8080 and 84.46.250.78:8080, with victim connections observed in early 2023.
- AllaKore RAT C2s included 89.117.63.146:9921 and 185.229.119.60:9134, with a much larger victim set (~236 IPs observed).
- Management telemetry: connections from Pakistani mobile IPs and Proton VPN nodes to 66.219.22.252 on ports including 82 and 3389 suggest operator management via RDP and proxying.
- Pivots on known infrastructure revealed additional C2 ports (e.g., TCP/9467, TCP/9468, TCP/7439, TCP/7469) likely associated with other SideCopy tools.
MITRE Techniques
- [T1566] Phishing – Spear-phishing used as the initial delivery method (‘spear phishing was used as the initial delivery method for this campaign’)
- [T1574.002] DLL Side-Loading – Malware dropped alongside a benign executable and loaded via sideloading (‘dropped onto the victim machine alongside a benign executable which is used to sideload it’)
- [T1021.001] Remote Services: RDP – RDP (TCP/3389) observed open on C2 and used for management (‘Port 3389 (RDP) is often observed open on SideCopy … believed to be utilized for management purposes’)
- [T1056.001] Keylogging – AllaKore RAT implements keylogging capabilities (‘AllaKore RAT’s capabilities include functionality which allows for keylogging’)
- [T1113] Screen Capture – AllaKore supports screenshot capture (‘AllaKore RAT’s capabilities include … screenshotting’)
- [T1105] Ingress Tool Transfer – Additional payloads (AllaKore) were dropped via separate infrastructure (‘AllaKore RAT … is dropped on the victim machine via separate infrastructure’)
- [T1071] Application Layer Protocol – RATs receive commands and exfiltrate via C2 (HTTP/ports observed like 8080) (‘Action RAT’s capabilities include the ability to receive commands from the C2 server … and to upload information back to the C2’)
Indicators of Compromise
- [Malware Hashes] SHA1 hashes of observed payloads – 3c4c8cbab1983c775e6a76166f7b3c84dde8c8c5 (DUser.dll), ea844939dc428e6fdb6624d717d0286e4dcae9b1 (simsre.exe), and 5 more hashes
- [Domains] C2 and drop infrastructure – www.cornerstonebeverly[.]org, www.kcps[.]edu[.]in, and 1 more domain
- [IP Addresses:port] C2 endpoints and management ports – 144.91.72.17:8080, 89.117.63.146:9921, and 5 more IP:port pairs
- [File names / lures] Dropper and payload filenames used in lures – ‘DRDO – K4 Missile Clean room.pptx.lnk’, ‘Cyber Advisory – Profiles (Pic and Mob No) of PIOs.docx.lnk’, and other filenames (e.g., DUser.dll, simsre.exe)
SideCopy’s technical procedure combined targeted spear-phishing lures with staged payload delivery. Malicious shortcuts and documents dropped a benign executable and a malicious DLL (DUser.dll) that was side-loaded to evade detection; DUser.dll acted as a loader for Action RAT and also staged AllaKore RAT. Action RAT provided C2-driven command execution, data collection, and payload retrieval, while AllaKore implemented keylogging, screenshot capture, remote access, and exfiltration to its C2 servers.
Command-and-control infrastructure was distributed across multiple IP:port pairs and domains (examples include 144.91.72.17:8080, 84.46.250.78:8080, 89.117.63.146:9921, and www.kcps[.]edu[.]in). Telemetry links show distinct victim sets connecting to Action RAT and AllaKore C2s (18 victims for Action RAT C2s, ~236 for AllaKore C2s) and additional activity on auxiliary ports (TCP/9467, TCP/9468, TCP/7439, TCP/7469) consistent with other SideCopy tools or management channels.
Operator management signals include outbound connections from Action RAT C2s to 66.219.22.252 and inbound management accesses to 66.219.22.252:3389 originating from Pakistani mobile IPs and Proton VPN nodes, with a weekday working-hours pattern (UTC times consistent with Pakistan Standard Time). Defenders should hunt historical logs for the listed hashes, domains, and IP:port pairs and look for DLL sideloading behaviors, unusual RDP access to C2-associated hosts, and application-layer C2 traffic on observed ports.
Read more: https://www.team-cymru.com/post/allakore-d-the-sidecopy-train