SideCopy’s Multi-platform Onslaught: Leveraging WinRAR Zero-Day and Linux Variant of Ares RAT [Tuesday, November 7, 2023]

SideCopy’s Multi-platform Onslaught: Leveraging WinRAR Zero-Day and Linux Variant of Ares RAT [Tuesday, November 7, 2023]
https://www.securitricks.com/content/images/size/w600/format/webp/2023/12/ATTACK-REPORT-LOGO-2.png
Report

SideCopy’s Multi-platform Onslaught: Leveraging WinRAR Zero-Day and Linux Variant of Ares RAT

Description :
Multiple campaigns of APT SideCopy have been discovered targeting Indian government and defense entities in the past few months. The threat group is now exploiting the recent WinRAR vulnerability CVE-2023-38831 (See our advisory for more details) to deploy AllaKore RAT, DRat and additional payloads.

Published :
2023-11-07T15:08:48.748Z

Created :
2023-11-07T15:08:48.748Z

Modified :
2023-11-07T15:33:10.619Z

Tags

  • apt
  • linux
  • powershell
  • india
  • trojan
  • crimson rat
  • download
  • ares
  • allakore
  • apt36
  • sidecopy
  • poseidon
  • pyinstaller
  • phishing
  • #sidecopy
  • #aresrat
  • #winrar
  • #apt36
  • #keyrat
  • #drat
  • #cve-2023-38831
  • #allakorerat
  • allakore rat
  • persistent
  • action
  • ares rat
  • oblique rat
  • margulas
  • action rat
  • defense
  • backnet
  • capra
  • drat

Indicators

IPv4s :
  • 38.242.149.89
  • 207.180.192.77
  • 161.97.151.220
  • 162.241.85.104
  • 38.242.220.166
  • 103.76.231.95
  • 161.97.151.200
  • 103.76.213.95
URLs :
  • https://futureuniform.ca/wp/wp-content/files/01/main.hta
  • https://www.rockwellroyalhomes.com/js/content/msfnt.hta
  • https://futureuniform.ca/mail.gov.in/briefcase/DocScanner_Updated_letter.pdf
  • https://www.rockwellroyalhomes.com/js/FL/2023-06-21-0056.pdf
  • https://www.rockwellroyalhomes.com/js/content/2023-06-21-0056.pdf
  • https://futureuniform.ca/mail.gov.in/briefcase/updated_draft_PPT.pptx
  • https://sunfireglobal.in/public/core/homo/
  • https://occoman.com/wp-admin/css/colors/ocean/files/files/tls
  • https://futureuniform.ca/email.gov.in/briefcase/Meeting_Notice-reg.pdf
  • https://sunfireglobal.in/public/assests/files/auth/av
  • https://www.rockwellroyalhomes.com/js/content/
  • https://sunfireglobal.in/public/assests/files/auth/ht
  • https://occoman.com/wp-admin/css/colors/ocean/files/files/bossupdate
  • https://www.rockwellroyalhomes.com/crm/asset/css/files/file/
  • https://sunfireglobal.in/public/assests/files/db/acr/
  • https://www.rockwellroyalhomes.com/crm/asset/css/files/doc/
  • https://keziaschool.com/wp/wp-content/uploads/2023/files/bossupdate
  • https://occoman.com/wp-admin/css/colors/ocean/files/files/
  • https://sunfireglobal.in/public/core/homo/Homosexuality%20-%20Indian%20Armed%20Forces.zip
  • https://keziaschool.com/wp/wp-content/uploads/2023/38
  • https://occoman.com/wp-admin/css/colors/ocean/files/pdf/in
  • https://sunfireglobal.in/public/assests/files/auth/dl
  • https://www.rockwellroyalhomes.com/js/FL/DocScanner-Oct.zip
  • https://www.rockwellroyalhomes.com/crm/asset/css/files/doc/DocScanner_AUG_2023.zip
  • https://futureuniform.ca/mail.gov.in/briefcase/draft_letter_nov_2023.docx
Hashes :
  • 0d11eddaf91966691b06ea164eca834848c5cc6276ef8a29ec67cad71ba386e7
  • eb1b12729274f84798bf83b779528095686f67330d80e39cb45791a7c6979910
  • 9645299e58c7521d811fbdcdbd57db45160191db7c7b73eae5d97e4530136da8
  • a9407fdee890615e8e4f4927deb0c32795e848ce58e66dab56bf3b7188bc0b25
  • 61b898f4254d8c6d3d375584a1109367f9e86d221e2d404bf6768fb81b1b48b5
  • 57e72c7c81df7d971db2977b51bc37447b641466917e7ed8f92efa3b0eb23f0d
  • 5893b58d6a6a772f8ecd491a4dace11007fd1aac90e5f4a0363288d1376e1ce5
  • 3d7eaa1f572e1b16f68d54d47e73fe38ae63bbe27fdff94ed3a1bab1febe62ff
Attacks Pattern :
  • T1125
  • T1608
  • T1222
  • T1584
  • T1588
  • T1074
  • T1583
  • T1571
  • T1129
  • T1127
  • T1119
  • T1057
  • T1047
  • T1547
  • T1056
  • T1012
  • T1036
  • T1053
  • T1573
  • T1566
  • T1518
  • T1016
  • T1204
  • T1106
  • T1005
  • T1027
  • T1574
  • T1105
  • T1059
  • T1033
  • T1102
  • T1071
  • T1140
  • T1218
  • T1083
  • T1113
  • T1203
  • T1082
  • T1041
External References :

You can download the txt file containing the indicators by clicking on the button below:

About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.