SideCopy’s Multi-platform Onslaught: Leveraging WinRAR Zero-Day and Linux Variant of Ares RAT - Blogs on Information Technology, Network & Cybersecurity | Seqrite
Tags
cmtmf-attack-pattern: Acquire Infrastructure Application Layer Protocol Boot Or Logon Autostart Execution Command And Scripting Interpreter Compromise Infrastructure Masquerading Obfuscated Files Or Information Obtain Capabilities Scheduled Task/Job Stage Capabilities
country: Afghanistan China Germany India Pakistan Israel
maec-delivery-vectors: Watering Hole
attack-pattern: Acquire Infrastructure Data Acquire Infrastructure - T1583 Software Discovery - T1418 Application Layer Protocol - T1437 Boot Or Logon Autostart Execution - T1547 Command And Scripting Interpreter - T1623 Command Obfuscation - T1027.010 Compromise Infrastructure - T1584 Cron - T1053.003 Data From Local System - T1533 Defacement - T1491 Dll Side-Loading - T1574.002 Domains - T1583.001 Domains - T1584.001 Embedded Payloads - T1027.009 Encrypted Channel - T1521 Encrypted Channel - T1573 Exfiltration Over C2 Channel - T1646 Exploitation For Client Execution - T1658 File And Directory Discovery - T1420 File And Directory Permissions Modification - T1222 Hijack Execution Flow - T1625 Hijack Execution Flow - T1574 Ingress Tool Transfer - T1544 Input Capture - T1417 Internet Connection Discovery - T1016.001 Keylogging - T1056.001 Keylogging - T1417.001 Link Target - T1608.005 Linux And Mac File And Directory Permissions Modification - T1222.002 Local Data Staging - T1074.001 System Network Configuration Discovery - T1422 Malicious File - T1204.002 Malicious Link - T1204.001 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Match Legitimate Name Or Location - T1036.005 Match Legitimate Name Or Location - T1655.001 Obfuscated Files Or Information - T1406 Process Discovery - T1424 System Information Discovery - T1426 Mshta - T1218.005 Native Api - T1575 Non-Standard Port - T1509 Non-Standard Port - T1571 Obtain Capabilities - T1588 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Python - T1059.006 Registry Run Keys / Startup Folder - T1547.001 Scheduled Task/Job - T1603 Screen Capture - T1513 Security Software Discovery - T1418.001 Security Software Discovery - T1518.001 Server - T1583.004 Server - T1584.004 Social Media - T1593.001 Software - T1592.002 Software Discovery - T1518 Spearphishing Attachment - T1566.001 Spearphishing Link - T1566.002 Stage Capabilities - T1608 Web Protocols - T1071.001 Web Protocols - T1437.001 Video Capture - T1512 Xdg Autostart Entries - T1547.013 Tool - T1588.002 Vulnerabilities - T1588.006 Whois - T1596.002 Upload Malware - T1608.001 Standard Application Layer Protocol - T1071 Automated Collection - T1119 Command-Line Interface - T1059 Data From Local System - T1005 Data Staged - T1074 Deobfuscate/Decode Files Or Information - T1140 Dll Side-Loading - T1073 Execution Through Api - T1106 Execution Through Module Load - T1129 Exfiltration Over Command And Control Channel - T1041 Exploitation For Client Execution - T1203 File And Directory Discovery - T1083 Remote File Copy - T1105 Input Capture - T1056 Masquerading - T1036 Mshta - T1170 Obfuscated Files Or Information - T1027 Powershell - T1086 Process Discovery - T1057 Query Registry - T1012 Registry Run Keys / Start Folder - T1060 Scheduled Task - T1053 Screen Capture - T1113 Security Software Discovery - T1063 Signed Binary Proxy Execution - T1218 System Information Discovery - T1082 System Network Configuration Discovery - T1016 System Owner/User Discovery - T1033 Windows Management Instrumentation - T1047 Video Capture - T1125 User Execution - T1204 Automated Collection Masquerading Screen Capture User Execution
Show in Graph
Common Information
Type Value
UUID ed69331b-6e5f-47fe-9357-970ca963cbb4
Fingerprint 959f8c5362bda880
Analysis status DONE
Considered CTI value 2
Text language
Published Nov. 6, 2023, midnight
Added to db Nov. 19, 2023, 6:09 a.m.
Last updated Nov. 17, 2024, 6:56 p.m.
Headline SideCopy’s Multi-platform Onslaught: Leveraging WinRAR Zero-Day and Linux Variant of Ares RAT
Title SideCopy’s Multi-platform Onslaught: Leveraging WinRAR Zero-Day and Linux Variant of Ares RAT - Blogs on Information Technology, Network & Cybersecurity | Seqrite
Detected Hints/Tags/Attributes 205/4/203
Source URLs
Redirection Url
Details Source https://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/
Details Redirection https://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/?&web_view=true
Details Source https://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/?web_view=true
URL Provider
Details Provider Source level domain
Details seqrite.com www.seqrite.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 99 Cyware News - Latest Cyber News https://cyware.com/allnews/feed 2024-08-30 22:08
Details 162 https://media.cert.europa.eu/rss?type=category&id=APTFilter&language=en&duplicates=false 2024-08-30 22:08
Details 373 Blogs on Information Technology, Network & Cybersecurity | Seqrite https://www.seqrite.com/blog/feed 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Autonomous System Number 1 
AS18229
Details Autonomous System Number 3 
AS46606
Details CVE 133 
cve-2023-38831
Details Domain 3 
ssynergy.in
Details Domain 2 
elfinindia.com
Details Domain 2 
sunfireglobal.in
Details Domain 1 
forces.zip
Details Domain 2 
occoman.com
Details Domain 2 
rockwellroyalhomes.com
Details Domain 2 
isometricsindia.co.in
Details Domain 2 
www.rockwellroyalhomes.com
Details Domain 4 
docscanner-oct.zip
Details Domain 2 
vmi1433024.contaboserver.net
Details Domain 1 
vmi747785.contaboserver.net
Details Domain 1 
vmi1390334.contaboserver.net
Details Domain 1 
vmi1370228.contaboserver.net
Details Domain 1 
reg.zip
Details Domain 2 
meeting-details.zip
Details Domain 2 
futureuniform.ca
Details Domain 9 
email.gov.in
Details Domain 4 
mail.gov.in
Details Domain 2 
keziaschool.com
Details File 1 
acr.pdf
Details File 1 
acr_icr_ecr_form_for_endorsement_new_policy.pdf
Details File 1 
forces.zip
Details File 36 
c:\windows\system32\mshta.exe
Details File 6 
tar.exe
Details File 1 
seqrite.jpg
Details File 19 
credwiz.exe
Details File 13 
rekeywiz.exe
Details File 5 
agent.py
Details File 22 
config.py
Details File 3 
docscanner_aug_2023.zip
Details File 4 
docscanner-oct.zip
Details File 456 
mshta.exe
Details File 1 
achievements_of_dma.rar
Details File 1 
agenda_points_ammended.rar
Details File 1 
dma_monthly_update_minutes_of_meeting-reg.zip
Details File 1 
docscanner-oct.pdf
Details File 1 
agenda_points.docx
Details File 1 
draft_short_ppt.pptx
Details File 1 
meeting_brief.pdf
Details File 1 
summitofbion.dll
Details File 8 
prebothta.dll
Details File 1 
wingfx.dll
Details File 1 
msfront.exe
Details File 1 
achievements_of_dma.pdf
Details File 1 
steistem.exe
Details File 1 
onlyme.exe
Details File 3 
cache.bat
Details File 4 
d.txt
Details File 2 
meeting-details.zip
Details File 1 
docscanner_aug_2023.pdf
Details File 2 
meeting_notice-reg.pdf
Details File 1 
docscanner_updated_letter.pdf
Details File 2 
draft_letter_nov_2023.docx
Details File 2 
updated_draft_ppt.pptx
Details File 2 
2023-06-21-0056.pdf
Details File 2 
c:\users\public\aque\cdrzip.exe
Details File 2 
c:\users\public\aque\rekeywiz.exe
Details File 2 
c:\users\public\aque\duser.dll
Details File 2 
c:\users\public\aque\data.bat
Details File 2 
c:\users\public\msfront\msfront.exe
Details File 2 
c:\users\public\winowimg.jpg
Details File 2 
c:\users\public\stremoe\steistem.exe
Details File 2 
c:\users\public\stremoe\stremoe.bat
Details File 2 
c:\programdata\intel\cdrzip.exe
Details File 2 
c:\programdata\intel\duser.dll
Details File 2 
c:\programdata\wingfx\credwiz.exe
Details File 2 
c:\programdata\wingfx\wingfx.bat
Details File 2 
c:\programdata\wingfx\duser.dll
Details File 2 
%appdata%\msfront\msfront.exe
Details File 2 
%appdata%\msfront\duser.dll
Details File 2 
%appdata%\msfront\crezly.exe
Details File 2 
%temp%\cache.bat
Details File 2 
%temp%\msfont\msfont.exe
Details md5 2 
eb07a0063132e33c66d0984266afb8ae
Details md5 2 
8bee417262cf81bc45646da357541036
Details md5 2 
9e9f93304c8d77c9473de475545bbc23
Details md5 2 
9379ebf1a732bfb1f4f8915dbb82ca56
Details md5 2 
49b29596c81892f8fff321ff8d64105a
Details md5 2 
75f9d86638c8634620f02370c28b8ebd
Details md5 2 
fc5eae3562c9dbf215384ddaf0ce3b03
Details md5 2 
a52d2a0edccdc0f533c7b04e88fe8092
Details md5 2 
02c444c5c1ad25e6823457705e8820bc
Details md5 2 
d6e214fd81e7afb57ea77b79f8ff1d45
Details md5 2 
d0c80705be2bc778c7030aae1087f96e
Details md5 2 
31340EA400E6611486D5E57F0FAB5AF2
Details md5 2 
FE0250AF25C625E24608D8594B716ECB
Details md5 2 
C872F21B06C4613954FFC0676C1092E3
Details md5 2 
ff13b07eaabf984900e88657f5d193e6
Details md5 2 
6f37dacf81af574f1c8a310c592df63f
Details md5 2 
9f5354dcf6e6b5acd4213d9ff77ce07c
Details md5 2 
CCB6723C14EBB0A12395668377CF3F7A
Details md5 2 
acec2107d4839fbb04defbe376ac4973
Details md5 2 
f759b6581367db35e3978125f4f6ff80
Details md5 2 
B6FBCAE7980D4E02CE9ED9876717F385
Details md5 2 
4f541ec8cd238737e4e77a55fbcbb4f3
Details md5 2 
7cba23cfd9587211e7a214a88589cf25
Details md5 2 
04a65069054085cd81daabe4fc15ce76
Details md5 2 
c61b19cbedcb878aff45c067d503d556
Details md5 2 
eccc72deb8ce41433ed13591b4557343
Details md5 2 
9375e3c13c85990822d2f09a66b551d9
Details md5 2 
42a696ef6f7acf0919fea9748029a966
Details md5 2 
54473E0D8CAFD950AFE32DE1A2F3A508
Details md5 2 
36933B05B7E3060955E6A1FDFD7D8EC1
Details md5 2 
508F4BFAD9F2482992AC7926910BD551
Details md5 2 
921915ecfe17593476648ad20cd61ecd
Details md5 2 
5e32703e3704b2b5c299c242713b1ec5
Details md5 2 
af3ec4f8a072779eb0cac18eaafc256d
Details md5 2 
0799e17933b875e3a54f01416e7505d5
Details md5 2 
b4854c420bc39c8c77a0fcd9395a8748
Details md5 2 
4cd0ee8186dc4203aad0cba48a8e5778
Details md5 2 
088b89698b122454666e542b1e1d92a4
Details md5 2 
b992b03b0942658a516439b56afbf41a
Details md5 2 
ebbc1c4fc617cda7a0b341b12f45d2ad
Details IPv4 2 
162.241.85.104
Details IPv4 1 
161.97.151.200
Details IPv4 2 
103.76.213.95
Details IPv4 3 
38.242.149.89
Details IPv4 2 
38.242.220.166
Details IPv4 1 
103.76.231.95
Details IPv4 2 
207.180.192.77
Details IPv4 2 
161.97.151.220
Details MITRE ATT&CK Techniques 82 
T1583.001
Details MITRE ATT&CK Techniques 15 
T1584.001
Details MITRE ATT&CK Techniques 42 
T1588.001
Details MITRE ATT&CK Techniques 59 
T1588.002
Details MITRE ATT&CK Techniques 49 
T1608.001
Details MITRE ATT&CK Techniques 17 
T1608.005
Details MITRE ATT&CK Techniques 310 
T1566.001
Details MITRE ATT&CK Techniques 183 
T1566.002
Details MITRE ATT&CK Techniques 239 
T1106
Details MITRE ATT&CK Techniques 120 
T1129
Details MITRE ATT&CK Techniques 695 
T1059
Details MITRE ATT&CK Techniques 310 
T1047
Details MITRE ATT&CK Techniques 245 
T1203
Details MITRE ATT&CK Techniques 106 
T1204.001
Details MITRE ATT&CK Techniques 365 
T1204.002
Details MITRE ATT&CK Techniques 44 
T1053.003
Details MITRE ATT&CK Techniques 380 
T1547.001
Details MITRE ATT&CK Techniques 6 
T1547.013
Details MITRE ATT&CK Techniques 183 
T1036.005
Details MITRE ATT&CK Techniques 504 
T1140
Details MITRE ATT&CK Techniques 59 
T1218.005
Details MITRE ATT&CK Techniques 227 
T1574.002
Details MITRE ATT&CK Techniques 35 
T1222.002
Details MITRE ATT&CK Techniques 40 
T1027.009
Details MITRE ATT&CK Techniques 25 
T1027.010
Details MITRE ATT&CK Techniques 501 
T1012
Details MITRE ATT&CK Techniques 230 
T1033
Details MITRE ATT&CK Techniques 433 
T1057
Details MITRE ATT&CK Techniques 1006 
T1082
Details MITRE ATT&CK Techniques 585 
T1083
Details MITRE ATT&CK Techniques 42 
T1016.001
Details MITRE ATT&CK Techniques 141 
T1518.001
Details MITRE ATT&CK Techniques 534 
T1005
Details MITRE ATT&CK Techniques 118 
T1056.001
Details MITRE ATT&CK Techniques 49 
T1074.001
Details MITRE ATT&CK Techniques 111 
T1119
Details MITRE ATT&CK Techniques 219 
T1113
Details MITRE ATT&CK Techniques 32 
T1125
Details MITRE ATT&CK Techniques 492 
T1105
Details MITRE ATT&CK Techniques 115 
T1571
Details MITRE ATT&CK Techniques 163 
T1573
Details MITRE ATT&CK Techniques 442 
T1071.001
Details MITRE ATT&CK Techniques 422 
T1041
Details Pdb 2 
mseclipse.pdb
Details Pdb 2 
c:\users\boss\desktop\test\client\client\obj\release\onlyme.pdb
Details Threat Actor Identifier - APT 121 
APT36
Details Url 1 
https://sunfireglobal.in/public/core/homo/homosexuality
Details Url 2 
https://sunfireglobal.in/public/assests/files/db/acr
Details Url 2 
https://www.rockwellroyalhomes.com/js/fl/docscanner-oct.zip
Details Url 2 
https://www.rockwellroyalhomes.com/js/content
Details Url 2 
https://www.rockwellroyalhomes.com/js/content/msfnt.hta
Details Url 2 
https://www.rockwellroyalhomes.com/js/content/2023-06-21-0056.pdf
Details Url 2 
https://www.rockwellroyalhomes.com/js/fl/2023-06-21-0056.pdf
Details Url 2 
https://www.rockwellroyalhomes.com/crm/asset/css/files/file
Details Url 2 
https://www.rockwellroyalhomes.com/crm/asset/css/files/doc
Details Url 1 
https://www.rockwellroyalhomes.com/crm/asset/css/files/doc/docscanner_aug_2023.zip
Details Url 2 
https://sunfireglobal.in/public/core/homo
Details Url 2 
https://sunfireglobal.in/public/assests/files/auth/av
Details Url 2 
https://sunfireglobal.in/public/assests/files/auth/dl
Details Url 2 
https://sunfireglobal.in/public/assests/files/auth/ht
Details Url 2 
https://occoman.com/wp-admin/css/colors/ocean/files/files/tls
Details Url 2 
https://occoman.com/wp-admin/css/colors/ocean/files/files
Details Url 2 
https://occoman.com/wp-admin/css/colors/ocean/files/pdf/in
Details Url 2 
https://occoman.com/wp-admin/css/colors/ocean/files/files/bossupdate
Details Url 2 
https://futureuniform.ca/wp/wp-content/files/01/main.hta
Details Url 2 
https://futureuniform.ca/email.gov.in/briefcase/meeting_notice-reg.pdf
Details Url 2 
https://futureuniform.ca/mail.gov.in/briefcase/updated_draft_ppt.pptx
Details Url 2 
https://futureuniform.ca/mail.gov.in/briefcase/draft_letter_nov_2023.docx
Details Url 1 
https://futureuniform.ca/mail.gov.in/briefcase/docscanner_updated_letter.pdf
Details Url 2 
https://keziaschool.com/wp/wp-content/uploads/2023/files/bossupdate
Details Url 2 
https://keziaschool.com/wp/wp-content/uploads/2023/38
Details Url 2 
http://38.242.220.166:9012/api/root_149371139681480/upload
Details Url 2 
http://38.242.220.166:9012/api/root_149371139681480/hello
Details Url 2 
http://38.242.220.166:9012/api/root_168683512566649/upload
Details Url 2 
http://38.242.220.166:9012/api/root_168683512566649/hello
Details Url 2 
http://38.242.220.166:9012/api/root_175170531258512/upload
Details Url 2 
http://38.242.220.166:9012/api/root_175170531258512/hello
Details Url 2 
http://161.97.151.220:7015/api/root_36854582802642/upload
Details Url 2 
http://161.97.151.220:7015/api/root_36854582802642/hello