Targeted Attack on Indian Defense officials using SocketPlayer Malware

defence-logo



Introduction

Our team recently observed a campaign in early June, that used a Microsoft Word (docx) file (75a00fcede0b91793a19295a8b9a7060), which contained embedded OLE object and CVE-2017-11882 RTF exploit spreading SocketPlayer malware. Based on the context of the document used to lure victim and the use of SocketPlayer backdoor, we believe that this campaign was targeting official(s) of Indian Defense forces.


lure.png

Lure Document


Interestingly, few weeks back, a team of security researchers, MalwareHunterTeam, also tweeted that the website of Border Security Force of India was compromised and used to spread SocketPlayer Loader and Backdoor from following URL: hxxp://bsf.gov.in/siteassets/sitepages/home/billing_details.zip.


tweet



Technical Analysis of Lure Document

The lure document is a MS Word document with office 2007 Open XML Format. This document contains an embedded OLE object that has external references. This feature allows external access to remote OLE objects to be referenced in the document.xml.


external-ole-object


When user opens the DOCX file, it causes a remote document file to be accessed from URL: hxxp://defprocindia.com/register.doc. The downloaded file is an RTF exploit file (cd74dd88322431441fb1088ac7dd6715), which uses equation editor vulnerability CVE-2017-11882.

db948cc4a2a4d8bebd6d02c7312e065f) from this URL: hxxp://defprocindia.com/laform.exe. payload-download-first-stage


Technical Analysis of Payload

The downloaded Payload is SocketPlayer Backdoor, The payload first tries to connect to domain: hxxp://www.asdkajkjsdnddasakkkaksjdjndkjansdkswda.yahoo.com. This connection is made to detect the whether the binary is running on host machine or in sandbox. The malware connects to the non-existent domain to confirm that the user is not running a network emulation utility such as FakeNet, a common tool used by malware researchers to simulate network connections.

When this check is bypassed there are two more anti-VM checks to detect whether the sample is running in Virtual Machine:


vm-check-1

Anti-VM check 1 tries to determin if system is using Display Adapter by VMWare, VirtualBox, etc.
vm-check-2

Anti-VM check 2 tries to determine if System’s manufacturer name contains any keywords such as “VIRTUAL”, “vmware”, etc.

When all these Anti-VM checks are bypassed, payload downloads second-stage payload (adcd2838f9fbc24b31e163a77980d814) from URL: hxxp://93.104.208.17:5156/uploads/excutbls/a/Player.exe. The second payload first check if directory “C:\Users\USERNAME\Media Player\Player.exe” exists. If the file doesn’t exists, it download another payload (d1266b75959962ce0eb8e37df561dbcd) from this URL: hxxp://93.104.208.17:5156/uploads/excutbls/a/APlayer.exe.

This final payload is a fully functional SocketPlayer main Backdoor. which again tries to connect a non-existent domain (as done in previous step): hxxp://www.swwdklalksdassssdlkasmkajksjsdnaasdskjndkjansdka.yahoo.com to detect sandbox.

After Anti-VM checks, SocketPlayer Rat searches for the file: “%HOMEPATH%\my documents\Process Manager\Manager.exe”. If the file isn’t found, it search for directory “%HOMEPATH%\Process Manager” and if this directory does not exists, it creates a directory name “%HOMEPATH%\Process Manager”. For Persistence, SocketPlayer RAT creates an entry in following registry location: “SOFTWARE\\Microsoft\Windows\CurrentVersion\Run”, with key value “Process Manager”.


socketplayer-persistence

Some of the functionalities of SocketPlayer include downloading/executing other payloads/malware from C&C, killing a process by its PID (Process ID), taking screenshot, deleting files and uploading files to C&C.

Conclusion

Based on compromise of BSF’s website and our investigation/analysis in this case, these are the targeted attack towards armed forces using SocketPlayer malware operated by same group with similar TTPs.

IoCs

75a00fcede0b91793a19295a8b9a7060
cd74dd88322431441fb1088ac7dd6715
db948cc4a2a4d8bebd6d02c7312e065f
d1266b75959962ce0eb8e37df561dbcd
adcd2838f9fbc24b31e163a77980d814

hxxp://defprocindia.com/laform.exe
hxxp://93.104.208.17:5156/uploads/excutbls/a/Player.exe
hxxp://www.asdkajkjsdnddasakkkaksjdjndkjansdkswda.yahoo.com
hxxp://www.swwdklalksdassssdlkasmkajksjsdnaasdskjndkjansdka.yahoo.com



Prevent Cyber Attacks with advance intelligence