Volon Threat Research identified a malicious sample named “India and Afghanistan on Parliamentary Affairs” which was uploaded to public file scanning service on April 17, 2020. This report presents the analysis findings of the sample by Volon Research.
Our analysis indicates, that based on the malware Lure, Crimson RAT payload, and the C2 (Command & Control) infrastructure, the threat actor group possibly appears to be Pakistan nexus group (APT36) targeting Indian government entities.
Technical Analysis:
The section will cover the technical analysis performed by Volon Threat Research.
- Below describes the dropper analysis
- File name: India and Afghanistan on Parliamentary Affairs.exe
- FileType: Win32 EXE
- MD5: 48a00c1a8c9b39c96152e8ca80b7a972
- SHA-1: 77f06e791df9613a8f1a98432ff40d79dbde3bd5
- SHA-256: 3c7eb76db2a503d495d1332dc50acbcf511d56a6ff5a7f1a5f9c16c5efc10b5d
- Creation Date: 2020-01-30
- First Submission: 2020-04-13
(Lure Template)
Initial Dropper is coded in .NET. and supports till .NET version 2.x compatibility. This indicates the backward compatibility support to get executed in maximum target systems as possible.
(Dropper – PE Info)
The dropper is designed to write decoded buffer into files in specified directories. This technique is common to evade antiviruses to avoid static analysis and also to perform prior checks on the infected hosts for any countermeasures installed.
(Encapsulated buffer in dropper)
In the below screenshot, we can clearly see the PDF is being written to the disk inside path “C:\Users\{username}\Documents” and saved with the same name as of dropper itself.
(Lure PDF template dropped)
(Environment Variables Enumeration)
The last job for a dropper is to drop Crimson RAT on disk and run. The binary is dropped on the path “C:\ProgramData” creating a folder “Dllb”. Also, we noticed a zip file is being dropped, and out of that zip file an executable is extracted which is the main payload for the Crimson RAT. We’ve noticed this pattern of dropping is followed up several times by APT 36 in past activities.
- Below describes the Crimson RAT Analysis:
- File name: mtdlhsrivan.exe
- FileType: Win32 EXE
- MD5: a183d42bd09cd0a92bff2a39fa9d3921
- SHA-1: a818cb13ecf31f392bd7b22fd67ed4617051c22a
- SHA-256: ae9684b8c2dbcfa487d0b2d614b2214bfe3c80407244f5d39828aa91225c57bf
- Creation Date 2020-01-23
- First Submission 2020-04-15
RAT is purely coded in .NET as well and supports all .NET versions.
(Crimson RAT- PE info)
RAT is interactive to support basic functionalities like screen capture, screen size enumeration, commands execution, process list, process kill, etc. below is the complete list of all functionalities supported by the framework.
Payload gains its persistence into the infected host using the commonly known technique “Modifying Registry Keys”. The registry key: “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
Although it fails to add an entry into the registry key and persistence doesn’t work properly.
Also, we noticed Crimson RAT uses custom protocol to communicate on an arbitrary port to connect to C2 – Command and Control server.
(Network analysis – Wireshark Packet Capture)
About APT36:
APT36 is believed to be a Pakistani state-sponsored threat actor mainly targeting the defense, embassies, and the government of India. APT36 performs cyber-espionage operations with the intent of collecting sensitive information from India that supports Pakistani military and diplomatic interests. This group, active since 2016, is also known as Transparent Tribe, ProjectM, Mythic Leopard, and TEMP.Lapis.
About Crimson RAT:
Crimson RAT is being used in various campaigns in the past by APT36. The RAT has been written in .Net and its capabilities include:
- Stealing credentials from the victim’s browser
- Listing running processes, drives, and directories on the victim’s machine
- Retrieving files from its C&C server
- Using custom TCP protocol for its C&C communications
- Collecting information about antivirus software
- Capturing screenshots
(MITRE ATT&CK tracking link of the RAT): https://attack.mitre.org/software/S0115/
Reflections
In early August 2018, Volon Threat Research published a blog about a campaign which was observed to be dropping Crimson RAT targeting officials of Indian Ministry of External Affairs, based on the campaign TTPs and payload, the activity was attributed to Pakistani APT group APT36 (Transparent Tribe). [Read More: https://volon.io/2018/09/07/targeted-attack-on-indian-ministry-of-external-affairs-using-crimson-rat/%5D.
In March 2020, security firm ‘Malware Bytes’ released a report on “APT36, conducting a phishing campaign against multiple Indian-based targets using Corona virus Lure”. The C2 64.188.25[.]205 used in the reported campaign from March matches the one in this report as well. Additionally, Volon also reported on the group targeting an Indian Financial Institution with Crimson RAT to its customers.
Volon recommends organization(s) specifically falling under target geography to block the IoC’s mentioned in this report on the security sensors and EDR agents. Also, we suggest performing a hunt across the infrastructure network for an existing sign of compromise. Additionally, organization(s) could create correlation rules of the IoC’s for detecting future campaigns.
Indicators
a43253312d356abe9ddf36b4cce50d82
64.188.25.205
48a00c1a8c9b39c96152e8ca80b7a972
a183d42bd09cd0a92bff2a39fa9d3921