Targeted Attack on Indian Ministry of External Affairs using Crimson RAT

Introduction

Volon’s Research team observed a spear phishing attack on Officials of Indian Ministry of External Affairs in early August. Crimson RAT was used as attack vector in this instance, same TTPs were observed by an APT group since 2016.

The email lures the officials by asking them to download the MS Excel sheet named “amended training schedule of IFS officers”. The download link provided in the email is shown as “hxxps://www.mea.gov.in/ifs-traning.schedule”, but it actually points to the malicious XLS document from URL: hxxp://info-sharing.net/?a=1533541533.

The document contains malicious macro code which drops first payload, the dropped payload is Crimson RAT downloader. This payload further downloads fully functional Crimson RAT from the following IP: 151.106.19[.]207:8246

A document with similar TTP was also identified in early august with the name “MoFA-MoD AFghanistan.xls” uploaded on 3rd August 2018. The XLS file contains malicious macro code, which upon execution downloads Payload from URL:”hxxp://afgcloud7.com/upld/updt.dll”

In 2016, Proofpoint published a report on “Operation Transparent Tribe”. The report had details of various attacks against Indian Embassies in Saudi Arabia and Kazakhstan using Crimson RAT. And, in one of the campaigns, they found a XLS file fetching payload from same URL as we found in second campaign URL: “hxxp://afgcloud7.com/upld/updt.dll”. These details might indicate that the APT group behind Operation Transparent Tribe is active and targeting Indian officials, again.

Spear Phishing Email
Spear Phishing Email

The lure of the campaign states the President’s schedule for the various meetings.

First payload download fully functional Crimson RAT and drop it to following path: “C:\\ProgramData\\Hurmz\\bahgrtmrs.exe”.

The payload has the capability to kill any process running in the system by using following code:

The following code is used to parse the commands which payload receives from the C&C:

Following is the list of some of the commands that the payload (Crimson RAT) supports:

1. proc1 – List all the running processes.
2. getavs – List of antiviruses running on the system.
3. filz – Send file info to C&C
4. dowf – Download file from C&C
5. cownr – Update the binary.
6. dirs – Send disk drives list.
7. afile – Send file to C&C

Apart from above commands, the RAT has more functionalities like keylogging, browser credential theft and webcam access.

Conclusion

Based on the above campaigns, its TTPs, payload used and past reporting, there is high probability that the APT group behind “Operation Transparent Tribe” might be active and is targeting Indian organizations, again.

Indicators of Compromise

58d52690179c2467fce76cec126ec5bb
915f32d66955de954bd89e3110d6a03e
0f0f6f48c3ee5f8e7cd3697c40002bc7
6b4635023eb1372df9b7618a5dae6128

151.106.19.207:8246
151.106.19.207:3286
151.106.19.207:12621
hxxp://info-sharing.net/?a=1533541533

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Kapil has over 19 years experience performing multiple consulting, business development and operations profile in technology & finance sector.

Before founding Volon, he was based in Stockholm, Sweden and worked at Capgemini as Client Director and Business Development leader in Nordics.

Previously he worked at a PE (India Value Fund) owned Digital Media firm in London and also at Steria, a European listed company as a Member of India Operations Board. He spent his early career in M&A and Corporate Finance advisory at Ernst & Young and GE Capital in United States.

Kapil studied at London Business School and is also a qualified Chartered Accountant.

Sagar has over 23 years experience and has performed senior Finance and HR roles in various technology companies.

Before Volon, he worked as Head of Operations, India/Thailand at Scan-IT Pte. Ltd. (Subsidiary of ‘Scan-Group’, Danish Shipping and Logistics Company).

Sagar holds Diploma in Computer Science from Pune University.

Muslim has over 20 years of Information Security Experience with core focus on Cyber Threat Intelligence, Cyber Risk Management and Cyber security consulting.

Before Volon, he worked at FireEye Inc (US listed Cyber Security Firm) where he headed their Cyber Threat Intelligence Research team. Muslim also worked at iSIGHT Partners (later acquired by FireEye Inc) as one of the initial employees and set up their Cyber Threat Intelligence research team from scratch.

Previously, Muslim was based in Malaysia where he led the information security consulting practice for Network Security Solutions. Muslim is also credited with establishing national level CERT (and also a foreign) and consulting for various corporate CSIRTs.

Muslim holds Masters in Electronic and Communication from Devi Ahilya University.

Prabir has over 35 years of experience performing multiple operational, leadership, business development and sales profile in Government and Enterprise segments. He has more than 13 years of corporate experience, held multiple top-management positions including being on Board of Directors with exhibited Strategic & Sustainable business development traits, client acquisition skills & Sales achievements in domestic market. He comes from a versatile Military communication & IT background having served the Indian Army (Corps of Signals) for two decades before transiting to corporate sector.

Before taking up consulting assignment with VOLON, he led business development of Startup companies engaged in Info-Sec products, Software services and strategic sales in mid-sized IT system Integration Company in Delhi & NCR

Prabir is a full-time MBA from Faculty of Management Studies, Delhi University and also a B.Tech (Electronics & Communication) from JNU (MCTE).