Targeted Attack on Indian Defense officials using SocketPlayer Malware

Introduction

Our team recently observed a campaign in early June, that used a Microsoft Word (docx) file (75a00fcede0b91793a19295a8b9a7060), which contained embedded OLE object and CVE-2017-11882 RTF exploit spreading SocketPlayer malware. Based on the context of the document used to lure victim and the use of SocketPlayer backdoor, we believe that this campaign was targeting official(s) of Indian Defense forces.

Interestingly, few weeks back, a team of security researchers, MalwareHunterTeam, also tweeted that the website of Border Security Force of India was compromised and used to spread SocketPlayer Loader and Backdoor from following URL: hxxp://bsf.gov.in/siteassets/sitepages/home/billing_details.zip.

 

Technical Analysis of Lure Document

The lure document is a MS Word document with office 2007 Open XML Format. This document contains an embedded OLE object that has external references. This feature allows external access to remote OLE objects to be referenced in the document.xml.

 

When user opens the DOCX file, it causes a remote document file to be accessed from URL: hxxp://defprocindia.com/register.doc. The downloaded file is an RTF exploit file (cd74dd88322431441fb1088ac7dd6715), which uses equation editor vulnerability CVE-2017-11882.

db948cc4a2a4d8bebd6d02c7312e065f) from this URL: hxxp://defprocindia.com/laform.exe.

Technical Analysis of Payload

The downloaded Payload is SocketPlayer Backdoor, The payload first tries to connect to domain:
hxxp://www.asdkajkjsdnddasakkkaksjdjndkjansdkswda.yahoo.com. This connection is made to detect the whether the binary is running on host machine or in sandbox. The malware connects to the non-existent domain to confirm that the user is not running a network emulation utility such as FakeNet, a common tool used by malware researchers to simulate network connections.

When this check is bypassed there are two more anti-VM checks to detect whether the sample is running in Virtual Machine:

Anti-VM check 1 tries to determin if system is using Display Adapter by VMWare, VirtualBox, etc.

Anti-VM check 2 tries to determine if System’s manufacturer name contains any keywords such as “VIRTUAL”, “vmware”, etc.

When all these Anti-VM checks are bypassed, payload downloads second-stage payload (adcd2838f9fbc24b31e163a77980d814) from URL: hxxp://93.104.208.17:5156/uploads/excutbls/a/Player.exe. The second payload first check if directory “C:\Users\USERNAME\Media Player\Player.exe” exists. If the file doesn’t exists, it download another payload (d1266b75959962ce0eb8e37df561dbcd) from this URL: hxxp://93.104.208.17:5156/uploads/excutbls/a/APlayer.exe.

This final payload is a fully functional SocketPlayer main Backdoor. which again tries to connect a non-existent domain (as done in previous step): hxxp://www.swwdklalksdassssdlkasmkajksjsdnaasdskjndkjansdka.yahoo.com to detect sandbox.

After Anti-VM checks, SocketPlayer Rat searches for the file: “%HOMEPATH%\my documents\Process Manager\Manager.exe”. If the file isn’t found, it search for directory “%HOMEPATH%\Process Manager” and if this directory does not exists, it creates a directory name “%HOMEPATH%\Process Manager”. For Persistence, SocketPlayer RAT creates an entry in following registry location: “SOFTWARE\\Microsoft\Windows\CurrentVersion\Run”, with key value “Process Manager”.

Some of the functionalities of SocketPlayer include downloading/executing other payloads/malware from C&C, killing a process by its PID (Process ID), taking screenshot, deleting files and uploading files to C&C.

Conclusion

Based on compromise of BSF’s website and our investigation/analysis in this case, these are the targeted attack towards armed forces using SocketPlayer malware operated by same group with similar TTPs.

IoCs

75a00fcede0b91793a19295a8b9a7060
cd74dd88322431441fb1088ac7dd6715
db948cc4a2a4d8bebd6d02c7312e065f
d1266b75959962ce0eb8e37df561dbcd
adcd2838f9fbc24b31e163a77980d814

hxxp://defprocindia.com/laform.exe
hxxp://93.104.208.17:5156/uploads/excutbls/a/Player.exe
hxxp://www.asdkajkjsdnddasakkkaksjdjndkjansdkswda.yahoo.com
hxxp://www.swwdklalksdassssdlkasmkajksjsdnaasdskjndkjansdka.yahoo.com

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Kapil has over 19 years experience performing multiple consulting, business development and operations profile in technology & finance sector.

Before founding Volon, he was based in Stockholm, Sweden and worked at Capgemini as Client Director and Business Development leader in Nordics.

Previously he worked at a PE (India Value Fund) owned Digital Media firm in London and also at Steria, a European listed company as a Member of India Operations Board. He spent his early career in M&A and Corporate Finance advisory at Ernst & Young and GE Capital in United States.

Kapil studied at London Business School and is also a qualified Chartered Accountant.

Sagar has over 23 years experience and has performed senior Finance and HR roles in various technology companies.

Before Volon, he worked as Head of Operations, India/Thailand at Scan-IT Pte. Ltd. (Subsidiary of ‘Scan-Group’, Danish Shipping and Logistics Company).

Sagar holds Diploma in Computer Science from Pune University.

Muslim has over 20 years of Information Security Experience with core focus on Cyber Threat Intelligence, Cyber Risk Management and Cyber security consulting.

Before Volon, he worked at FireEye Inc (US listed Cyber Security Firm) where he headed their Cyber Threat Intelligence Research team. Muslim also worked at iSIGHT Partners (later acquired by FireEye Inc) as one of the initial employees and set up their Cyber Threat Intelligence research team from scratch.

Previously, Muslim was based in Malaysia where he led the information security consulting practice for Network Security Solutions. Muslim is also credited with establishing national level CERT (and also a foreign) and consulting for various corporate CSIRTs.

Muslim holds Masters in Electronic and Communication from Devi Ahilya University.

Prabir has over 35 years of experience performing multiple operational, leadership, business development and sales profile in Government and Enterprise segments. He has more than 13 years of corporate experience, held multiple top-management positions including being on Board of Directors with exhibited Strategic & Sustainable business development traits, client acquisition skills & Sales achievements in domestic market. He comes from a versatile Military communication & IT background having served the Indian Army (Corps of Signals) for two decades before transiting to corporate sector.

Before taking up consulting assignment with VOLON, he led business development of Startup companies engaged in Info-Sec products, Software services and strategic sales in mid-sized IT system Integration Company in Delhi & NCR

Prabir is a full-time MBA from Faculty of Management Studies, Delhi University and also a B.Tech (Electronics & Communication) from JNU (MCTE).