Volon Threat Research has identified a recent threat campaign targeting employees of Indian government agencies, using a lure as Parichay [parichay.nic.in] which is the official Single Sign-On (SSO) Platform of the Government of India. SSO is a session and user authentication service that permits a user to use one set of login credentials to access multiple applications. The activity raises concern to the Indian government entities and also to the entities who are linked with the government agencies.
Based on the analysis, the attribution remains unclear as the payload and sample signature referenced publicly points this threat campaign to two distinct threat groups, publicly known as North Korean Nexus “DarkHotel” APT and “Donot Team” (APT-C-35) suspected of having a government background in a South Asian country.
The generic TTP identified in this campaign is such that the adversary sends an email to the victim with a Word document titled ‘Verification Form for PARICHAY Account.docx’, which seems to be quite realistic and lures the victim into opening it.
Malicious Word document titled ‘Verification Form for PARICHAY Account’
This word document is embedded with a link to a remotely hosted template file which is a malicious RTF file. This file aims to exploit the Microsoft Equation Editor Remote Code Execution vulnerability. When the victim opens the word document, the remotely hosted template file is executed, thus triggering the exploit, which in turn executes the malicious binary code embedded in the RTF file. This binary is the final payload which establishes a connection to the adversary’s Command & Control (C2) Server and awaits further commands.
We extracted a sample of this malicious Word document from a public malware database where it was uploaded on July 31, 2020 and performed a detailed analysis on the same as we will discuss below. Also, according to our analysis, the loader compilation timestamp was around the same time as it was uploaded on the public malware db.
Dropper Document Analysis:
URL scraped using script urlfrommaldoc
This analysis has been carried out using a script called ‘urlfrommaldoc‘ developed by our researcher which helps to extract URLs from Microsoft Office Documents. As seen from the above image, it’s clear that the MS Word document is embedded with a link to an RTF file called ‘rt.rtf’ which is hosted on a hacked website server of Sardar Patel Academy & Research Centre [sparc(.)org(.)in]. As a result, whenever MS Word loads the document ‘Verification Form for PARICHAY Account’ that the victim first received, it also downloads the remote RTF file from the landing page and interprets it.
This is a common vector called “Document Template Injection” used by attackers to evade detections or to avoid exposing the whole chain of attack.
RTF File Analysis:
Generally, an RTF exploit uses OLE (Object Linking & Embedding) to enclose payloads within the document itself. The following analysis displays the extraction of the embedded RTF objects.
Embedded RTF Objects
File contents displaying call to equation.3 class
As can be seen from the above images which show the embedded RTF objects and the analysis of file contents, the call to class “2333tion.3” (which will match to the class “Equation.3” during RTF parsing) gives us enough idea that this RTF file could’ve been exploiting CVE-2017-11882 bug in Microsoft Equation Editor.
Equation Editor (EQNEDT32.exe), a component of MS Office which is now deprecated, was found vulnerable to “Stack Based Buffer Overflow” in 2017. It can lead to RCE via specially crafted RTF file embedded with objects, making a call to Equation Editor with the malicious corpus. The exploit is popular among threat actors to intrude inside infrastructures because RTF files can be used easily to bypass antivirus using common obfuscation techniques.
The vulnerability CVE-2017-11882 occurs when EQNEDT32.EXE tries to copy the font name into a locally created buffer. The buffer is only 40 (0x28) bytes, however, if the font name is longer than 40 bytes (in this case 48 bytes), the buffer will overflow and EBP, as well as the return address, will be overwritten. Since this buffer allows only 40 bytes to be written, this attack vector is perfect to be chained with it.
The final payload is embedded using “Package Active-X Control Technique“. It is another popular technique used to embed exploits inside RTF files to avoid further chaining process of exploits.
Embedded executable using package
Later when exploit completes its job, the embedded executable “WORDICON.exe” is extracted and placed in a defined directory and finally executed.
Next, we performed an analysis of this packed payload.
Packed Payload analysis:
A. Information Gathering
Routine to enumerate installed Antivirus
Enumeration of Installed Antivirus and other required things in Debugger
The function runs through a while loop with repeated sequence of nested conditional statements checking attributes of static installation paths of antivirus using “GetFileAttributes”. Routine checks for AntiVirus installed on host and collects the data in “InfoLog.txt”. If no AV is installed, it simply stores “NON” in text a file. Besides this, loader is meant to collect information about installed hot patches, windows versions, and username by querying registry keys. Since its executed on our environment which has never been updated after installation, loader saves “NON”.
B. Unpacking and Saving Files
We used HollowHunter since we had no idea what packer it was using. But, turned out that the payload was able to bypass it so, we switched to manual approach to know more about the techniques it has been following. Although we just put breakpoints over “CreateFileW” and “WriteFile” since we noticed it was dropping files on disc and then we tried to retrieve attributes about files being written to the disc. Here, as we can see in the below image, the payload was attempting to create and write to the “credwiz.exe” file. Similarly, it writes out EntryFile.bat and Duser.dll as we will see below.
Attackers use numerous defense evasion techniques to avoid getting detected, many of which are available in the public domain. credwiz.exe is legit Microsoft application for credential backup from windows 7 to current versions – thus, it helps in masquerading.
C. Gaining Persistence
Loader attains persistence via a commonly known method “Registry Modification”. Normally threat actors use this technique because it’s easy to implement. Registry modification works in such a way that for any application which needs to be executed just after windows boot, its path must be stored in a special registry key. Some legitimate applications also use this technique, malwares just mimic it to look legit as well as maintain foothold over the machine.
Checking access to registry keys
Writing one-liner to EntryFile.bat
Because of UAC and restrictions to registry implemented, it’s difficult to modify certain registry operations Win32API provided by Microsoft. This functionality has been added since windows 7 x64 release. So, attackers tend to write batch files or execute one-liners for such jobs which makes this operation a bit simpler and promising to complete.
D. Data Exfiltration
Data Exfiltration is the most important job of almost all backdoors. Attackers tend to use various techniques to exfiltrate data out of the victim machines.
The final payload, DUser.dll is responsible for establishing C2 communication and is loaded by credwiz.exe. Older variant of DUser.dll that we had tracked previously was coded in .NET but now it has been coded in C++ and establishes communication with C2 for uploading files. In this case, the interesting part is that we noticed image files were being sent to C2 via a TCP socket.
Routine Initializing IP and port
Routine Initiating clean-up jobs
Network Streams in Wireshark showing exfiltration of image files
The DUser.dll is in Active development. We’ve come across variants of DUser.dll with different abilities.
In this chain, DUser.dll is responsible for stealing interesting files and uploading to adversary’s C2 server by connecting over an arbitrary port using standard windows library “winsock”. Being loaded in “credswiz.exe” which is a signed binary by Microsoft, it’s quite difficult to detect this payload making it run under the legitimate application.
MITRE ATT&CK Mapping of the TTPs used for the campaign:
Phishing: Spear-phishing Attachment – T1566.001
User Execution: Malicious File – T1204.002
Exploitation for Client Execution – T1203
Command and Scripting Interpreter: Windows Command Shell – T1059.003
Boot or Logon Auto-start Execution: Registry Run Keys/Start-up Folder – T1547.001
Create or Modify System Process: Windows Service – T1543.003
Masquerading: Match Legitimate Name or Location – T1036.005
Modify Registry – T1112
Template Injection – T1221
Indicator Removal on Host: File Deletion – T1070.004
Query Registry – T1012
Software Discovery: Security Software Discovery – T1518.001
System Information Discovery – T1082
Exfiltration over C2 Channel – T1041
More details on the procedures and mitigation methods can be viewed by clicking on the ATTA&CK IDs mentioned above.
Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka “Microsoft Office Memory Corruption Vulnerability”.
A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
The exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office or Microsoft WordPad software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.
AKA: APT-C-06 (Qihoo 360), SIG25 (NSA), Dubnium (Microsoft), Fallout Team (FireEye), Shadow Crane (CrowdStrike), ATK 52 (Thales), Higaisa (Tencent), T-APT-02 (Tencent), Luder
Motivation: Information theft and espionage
The activities of the DarkHotel advanced persistent threat (APT) actor came to light in November 2014, when Kaspersky published a report detailing a sophisticated cyberespionage campaign targeting business travelers in the Asia-Pacific region. The group has been around for more than a decade and some researchers believe its members are Korean speakers. The attackers targeted their victims using several methods, including through their hotel’s Wi-Fi, zero-day exploits, and peer-to-peer (P2P) file-sharing websites. Nearly one year later, the threat group was observed using new attack techniques and an exploit leaked from Italian spyware maker Hacking Team. DarkHotel victims have been spotted in several countries, including North Korea, Russia, South Korea, Japan, Bangladesh, Thailand, Taiwan, China, the United States, India, Mozambique, Indonesia, and Germany. Up until recently, the attacks appeared to focus on company executives, researchers, and development personnel from sectors such as defense industrial base, military, energy, government, NGOs, electronics manufacturing, pharmaceutical, and medical. In more recent DarkHotel attacks it has dubbed “Inexsmar,” security firm Bitdefender said the hackers targeted political figures, and they appeared to be using some new methods.
About Donot Team:
AKA: APT-C-35 (Qihoo 360), SectorE02 (ThreatRecon)
Motivation: Information theft and espionage
In late January 2018, ASERT had discovered a new modular malware framework we call “yty”. The framework shares a striking resemblance to the EHDevel framework. It has been believed by researchers with medium confidence that a team called as “Donot Team” has been responsible for this malware and will resume targeting of South Asia. In a likely effort to disguise the malware and its operations, the authors coded several references into the malware for football—it is unclear whether they mean American football or soccer. The theme may allow the network traffic to fly under the radar. The actors use false personas to register their domains instead of opting for privacy protection services. Depending on the registrar service chosen, this could be seen as another cost control measure. The actors often used typo-squatting to slightly alter a legitimate domain name. In contrast, the registration information used accurate spelling, possibly indicating the domain naming was intentional, typos included. Each unique registrant usually registered only a few domains, but mistakenly reused phone numbers or the registration data portrayed a similar pattern across domains
The report contains IoC’s and MITRE ATT&CK mapped techniques relating to the campaign, we recommend organization(s) to block the IoC’s or could create co-relation rules in SIEM to detect future attacks. Also, we suggest performing a hunt across the infrastructure network for an existing sign of compromise and map the defense and mitigation techniques that can be implemented based on the ATT&CK techniques identified.
Based on the execution chain and functionality of the malware dropped, Volon Threat Research assesses the attacker’s interest lies in stealing Government related confidential information. Also, the use of Parichay as a lure hints that the threat campaign is designed to target Indian Government employees as Parichay SSO platform is used by various Government agencies of India.
Additionally, the attribution remains unclear, as in the past we have observed various nation-state threat groups use the commonly used techniques by other threat groups to misattribute the targeted attack. In this particular campaign, the use of credwiz.exe could possibly be attributed to APT DarkHotel which does target India in various sectors like defense and military. Also, a similar attack chain has been found to be carried out by the APT DarkHotel Group in which they load the malicious DUser.dll through a legitimate Windows 7 executable, rekeywiz.exe as shown in this report by the security provider, “Positive Technologies”. However, on searching hash of the loader “WORDICON.exe” on the public internet, the community response and matching signature points out to “Donot Team”.
Also, the vulnerability CVE-2017-11882 which is exploited in this campaign is very commonly used as an attack vector by various Nation-State and Cyber Crime threat actors. Volon Threat Research has published several reports on the exploitation of this vulnerability which could be accessed by Volon customers on Intelligear – Threat Intelligence Portal. We recommend organization(s) to apply to prioritize patching of CVE-2017-11882 if not already and in general we suggest organization(s) should regularly apply patches on windows systems/servers provided by Microsoft.
Indicators of Compromise
“Verification Form for PARICHAY Account.docx”
sha256 C:\Windows\Tasks\WORDICON.exe 70e2236e467d2b453e6c412d32d0bd0ab256603e50339b644d064de18dbcb539
sha256 C:\ProgramData\MicrosoftSDK\credwiz.exe 17eabfb88a164aa95731f198bd69a7285cc7f64acd7c289062cd3979a4a2f5bf
sha256 C:\ProgramData\MicrosoftSDK\DUser.dll 1d09e91d72c86216f559760da0f07acdc0cff8c0649c6e1782db1f20dcc7e48f
sha256 rt.rtf 6c0bd378ecd60d87f2b5b731723fa656dd7a08c039d9e0a7383b8aa9c2f3c5ba
Domains and URLs:
Report Credits : Chaitanya Haritash / Aditi Tanna