Our team recently observed a campaign in early June, that used a Microsoft Word (docx) file (75a00fcede0b91793a19295a8b9a7060), which contained embedded OLE object and CVE-2017-11882 RTF exploit spreading SocketPlayer malware. Based on the context of the document used to lure victim and the use of SocketPlayer backdoor, we believe that this campaign was targeting official(s) of Indian Defense forces.
Interestingly, few weeks back, a team of security researchers, MalwareHunterTeam, also tweeted that the website of Border Security Force of India was compromised and used to spread SocketPlayer Loader and Backdoor from following URL: hxxp://bsf.gov.in/siteassets/sitepages/home/billing_details.zip.
The lure document is a MS Word document with office 2007 Open XML Format. This document contains an embedded OLE object that has external references. This feature allows external access to remote OLE objects to be referenced in the document.xml.
When user opens the DOCX file, it causes a remote document file to be accessed from URL: hxxp://defprocindia.com/register.doc. The downloaded file is an RTF exploit file (cd74dd88322431441fb1088ac7dd6715), which uses equation editor vulnerability CVE-2017-11882.
db948cc4a2a4d8bebd6d02c7312e065f) from this URL: hxxp://defprocindia.com/laform.exe.
The downloaded Payload is SocketPlayer Backdoor, The payload first tries to connect to domain:
hxxp://www.asdkajkjsdnddasakkkaksjdjndkjansdkswda.yahoo.com. This connection is made to detect the whether the binary is running on host machine or in sandbox. The malware connects to the non-existent domain to confirm that the user is not running a network emulation utility such as FakeNet, a common tool used by malware researchers to simulate network connections.
When this check is bypassed there are two more anti-VM checks to detect whether the sample is running in Virtual Machine:
Anti-VM check 1 tries to determin if system is using Display Adapter by VMWare, VirtualBox, etc.
Anti-VM check 2 tries to determine if System’s manufacturer name contains any keywords such as “VIRTUAL”, “vmware”, etc.
When all these Anti-VM checks are bypassed, payload downloads second-stage payload (adcd2838f9fbc24b31e163a77980d814) from URL: hxxp://18.104.22.168:5156/uploads/excutbls/a/Player.exe. The second payload first check if directory “C:\Users\USERNAME\Media Player\Player.exe” exists. If the file doesn’t exists, it download another payload (d1266b75959962ce0eb8e37df561dbcd) from this URL: hxxp://22.214.171.124:5156/uploads/excutbls/a/APlayer.exe.
This final payload is a fully functional SocketPlayer main Backdoor. which again tries to connect a non-existent domain (as done in previous step): hxxp://www.swwdklalksdassssdlkasmkajksjsdnaasdskjndkjansdka.yahoo.com to detect sandbox.
After Anti-VM checks, SocketPlayer Rat searches for the file: “%HOMEPATH%\my documents\Process Manager\Manager.exe”. If the file isn’t found, it search for directory “%HOMEPATH%\Process Manager” and if this directory does not exists, it creates a directory name “%HOMEPATH%\Process Manager”. For Persistence, SocketPlayer RAT creates an entry in following registry location: “SOFTWARE\\Microsoft\Windows\CurrentVersion\Run”, with key value “Process Manager”.
Some of the functionalities of SocketPlayer include downloading/executing other payloads/malware from C&C, killing a process by its PID (Process ID), taking screenshot, deleting files and uploading files to C&C.
Based on compromise of BSF’s website and our investigation/analysis in this case, these are the targeted attack towards armed forces using SocketPlayer malware operated by same group with similar TTPs.