Indian Government SSO Platform “Parichay” used as Lure to target Govt Agencies

Volon Threat Research has identified a recent threat campaign targeting employees of Indian government agencies, using a lure as Parichay [parichay.nic.in] which is the official Single Sign-On (SSO) Platform of the Government of India. SSO is a session and user authentication service that permits a user to use one set of login credentials to access multiple applications. The activity raises concern to the Indian government entities and also to the entities who are linked with the government agencies.

Based on the analysis, the attribution remains unclear as the payload and sample signature referenced publicly points this threat campaign to two distinct threat groups, publicly known as North Korean Nexus “DarkHotel” APT and  “Donot Team” (APT-C-35) suspected of having a government background in a South Asian country.

Technical Analysis:

The generic TTP identified in this campaign is such that the adversary sends an email to the victim with a Word document titled ‘Verification Form for PARICHAY Account.docx’, which seems to be quite realistic and lures the victim into opening it.

Malicious Word document titled ‘Verification Form for PARICHAY Account’

This word document is embedded with a link to a remotely hosted template file which is a malicious RTF file. This file aims to exploit the Microsoft Equation Editor Remote Code Execution vulnerability. When the victim opens the word document, the remotely hosted template file is executed, thus triggering the exploit, which in turn executes the malicious binary code embedded in the RTF file. This binary is the final payload which establishes a connection to the adversary’s Command & Control (C2) Server and awaits further commands.

We extracted a sample of this malicious Word document from a public malware database where it was uploaded on July 31, 2020 and performed a detailed analysis on the same as we will discuss below. Also, according to our analysis, the loader compilation timestamp was around the same time as it was uploaded on the public malware db.

Dropper Document Analysis:

URL scraped using script urlfrommaldoc

This analysis has been carried out using a script called ‘urlfrommaldoc‘ developed by our researcher which helps to extract URLs from Microsoft Office Documents. As seen from the above image, it’s clear that the MS Word document is embedded with a link to an RTF file called ‘rt.rtf’ which is hosted on a hacked website server of Sardar Patel Academy & Research Centre [sparc(.)org(.)in]. As a result, whenever MS Word loads the document ‘Verification Form for PARICHAY Account’ that the victim first received, it also downloads the remote RTF file from the landing page and interprets it.

This is a common vector called “Document Template Injection” used by attackers to evade detections or to avoid exposing the whole chain of attack.

RTF File Analysis:

Generally, an RTF exploit uses OLE (Object Linking & Embedding) to enclose payloads within the document itself. The following analysis displays the extraction of the embedded RTF objects.

Embedded RTF Objects

File contents displaying call to equation.3 class

As can be seen from the above images which show the embedded RTF objects and the analysis of file contents, the call to class “2333tion.3” (which will match to the class “Equation.3” during RTF parsing) gives us enough idea that this RTF file could’ve been exploiting CVE-2017-11882 bug in Microsoft Equation Editor.

Equation Editor (EQNEDT32.exe), a component of MS Office which is now deprecated, was found vulnerable to “Stack Based Buffer Overflow” in 2017. It can lead to RCE via specially crafted RTF file embedded with objects, making a call to Equation Editor with the malicious corpus. The exploit is popular among threat actors to intrude inside infrastructures because RTF files can be used easily to bypass antivirus using common obfuscation techniques.

The vulnerability CVE-2017-11882 occurs when EQNEDT32.EXE tries to copy the font name into a locally created buffer. The buffer is only 40 (0x28) bytes, however, if the font name is longer than 40 bytes (in this case 48 bytes), the buffer will overflow and EBP, as well as the return address, will be overwritten. Since this buffer allows only 40 bytes to be written, this attack vector is perfect to be chained with it.

The final payload is embedded using “Package Active-X Control Technique“. It is another popular technique used to embed exploits inside RTF files to avoid further chaining process of exploits.

Embedded executable using package

Later when exploit completes its job, the embedded executable “WORDICON.exe” is extracted and placed in a defined directory and finally executed.

Next, we performed an analysis of this packed payload.

Packed Payload analysis:

A. Information Gathering

 

Routine to enumerate installed Antivirus

Enumeration of Installed Antivirus and other required things in Debugger

The function runs through a while loop with repeated sequence of nested conditional statements checking attributes of static installation paths of antivirus using “GetFileAttributes”. Routine checks for AntiVirus installed on host and collects the data in “InfoLog.txt”. If no AV is installed, it simply stores “NON” in text a file. Besides this, loader is meant to collect information about installed hot patcheswindows versions, and username by querying registry keys. Since its executed on our environment which has never been updated after installation, loader saves “NON”.

B. Unpacking and Saving Files

We used HollowHunter since we had no idea what packer it was using. But, turned out that the payload was able to bypass it so, we switched to manual approach to know more about the techniques it has been following. Although we just put breakpoints over “CreateFileW” and “WriteFile” since we noticed it was dropping files on disc and then we tried to retrieve attributes about files being written to the disc. Here, as we can see in the below image, the payload was attempting to create and write to the “credwiz.exe” file. Similarly, it writes out EntryFile.bat and Duser.dll as we will see below.

CredWiz.exe Unpack

Attackers use numerous defense evasion techniques to avoid getting detected, many of which are available in the public domain. credwiz.exe is legit Microsoft application for credential backup from windows 7 to current versions – thus, it helps in masquerading.

C. Gaining Persistence

Loader attains persistence via a commonly known method “Registry Modification”.  Normally threat actors use this technique because it’s easy to implement. Registry modification works in such a way that for any application which needs to be executed just after windows boot, its path must be stored in a special registry key. Some legitimate applications also use this technique, malwares just mimic it to look legit as well as maintain foothold over the machine.

Checking access to registry keys

Writing one-liner to EntryFile.bat

Because of UAC and restrictions to registry implemented, it’s difficult to modify certain registry operations Win32API provided by Microsoft. This functionality has been added since windows 7 x64 release. So, attackers tend to write batch files or execute one-liners for such jobs which makes this operation a bit simpler and promising to complete.

D. Data Exfiltration

Data Exfiltration is the most important job of almost all backdoors. Attackers tend to use various techniques to exfiltrate data out of the victim machines.

The final payload, DUser.dll is responsible for establishing C2 communication and is loaded by credwiz.exe. Older variant of DUser.dll that we had tracked previously was coded in .NET but now it has been coded in C++ and establishes communication with C2 for uploading files. In this case, the interesting part is that we noticed image files were being sent to C2 via a TCP socket.

PE information

Routine Initializing IP and port

Routine Initiating clean-up jobs

Network Streams in Wireshark showing exfiltration of image files

The DUser.dll is in Active development. We’ve come across variants of DUser.dll with different abilities.

In this chain, DUser.dll is responsible for stealing interesting files and uploading to adversary’s C2 server by connecting over an arbitrary port using standard windows library “winsock”. Being loaded in “credswiz.exe” which is a signed binary by Microsoft, it’s quite difficult to detect this payload making it run under the legitimate application.

Execution Chain:

MITRE ATT&CK Mapping of the TTPs used for the campaign:

Initial Access:

Phishing: Spear-phishing Attachment – T1566.001

Execution:

User Execution: Malicious File – T1204.002

Exploitation for Client Execution – T1203

Command and Scripting Interpreter: Windows Command Shell – T1059.003

Persistence:

Boot or Logon Auto-start Execution: Registry Run Keys/Start-up Folder – T1547.001

Create or Modify System Process: Windows Service – T1543.003

Defense Evasion:

Masquerading: Match Legitimate Name or Location – T1036.005

Modify Registry – T1112

Template Injection – T1221

Indicator Removal on Host: File Deletion – T1070.004

Discovery:

Query Registry – T1012

Software Discovery: Security Software Discovery – T1518.001

System Information Discovery – T1082

Exfiltration:

Exfiltration over C2 Channel – T1041

More details on the procedures and mitigation methods can be viewed by clicking on the ATTA&CK IDs mentioned above.

About CVE-2017-11882:

Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka “Microsoft Office Memory Corruption Vulnerability”.

A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office or Microsoft WordPad software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.

(Vendor Fix): https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882

About DarkHotel:

AKA: APT-C-06 (Qihoo 360), SIG25 (NSA), Dubnium (Microsoft), Fallout Team (FireEye), Shadow Crane (CrowdStrike), ATK 52 (Thales), Higaisa (Tencent), T-APT-02 (Tencent), Luder

Motivation: Information theft and espionage

The activities of the DarkHotel advanced persistent threat (APT) actor came to light in November 2014, when Kaspersky published a report detailing a sophisticated cyberespionage campaign targeting business travelers in the Asia-Pacific region. The group has been around for more than a decade and some researchers believe its members are Korean speakers. The attackers targeted their victims using several methods, including through their hotel’s Wi-Fi, zero-day exploits, and peer-to-peer (P2P) file-sharing websites. Nearly one year later, the threat group was observed using new attack techniques and an exploit leaked from Italian spyware maker Hacking Team. DarkHotel victims have been spotted in several countries, including North Korea, Russia, South Korea, Japan, Bangladesh, Thailand, Taiwan, China, the United States, India, Mozambique, Indonesia, and Germany. Up until recently, the attacks appeared to focus on company executives, researchers, and development personnel from sectors such as defense industrial base, military, energy, government, NGOs, electronics manufacturing, pharmaceutical, and medical. In more recent DarkHotel attacks it has dubbed “Inexsmar,” security firm Bitdefender said the hackers targeted political figures, and they appeared to be using some new methods.

About Donot Team:

AKA: APT-C-35 (Qihoo 360), SectorE02 (ThreatRecon)

Motivation: Information theft and espionage

In late January 2018, ASERT had discovered a new modular malware framework we call “yty”. The framework shares a striking resemblance to the EHDevel framework. It has been believed by researchers with medium confidence that a team called as “Donot Team” has been responsible for this malware and will resume targeting of South Asia. In a likely effort to disguise the malware and its operations, the authors coded several references into the malware for football—it is unclear whether they mean American football or soccer. The theme may allow the network traffic to fly under the radar. The actors use false personas to register their domains instead of opting for privacy protection services. Depending on the registrar service chosen, this could be seen as another cost control measure. The actors often used typo-squatting to slightly alter a legitimate domain name. In contrast, the registration information used accurate spelling, possibly indicating the domain naming was intentional, typos included. Each unique registrant usually registered only a few domains, but mistakenly reused phone numbers or the registration data portrayed a similar pattern across domains

The report contains IoC’s and MITRE ATT&CK mapped techniques relating to the campaign, we recommend organization(s) to block the IoC’s or could create co-relation rules in SIEM to detect future attacks. Also, we suggest performing a hunt across the infrastructure network for an existing sign of compromise and map the defense and mitigation techniques that can be implemented based on the ATT&CK techniques identified. 

Volon’s Assessment

Based on the execution chain and functionality of the malware dropped, Volon Threat Research assesses the attacker’s interest lies in stealing Government related confidential information. Also, the use of Parichay as a lure hints that the threat campaign is designed to target Indian Government employees as Parichay SSO platform is used by various Government agencies of India.

Additionally, the attribution remains unclear, as in the past we have observed various nation-state threat groups use the commonly used techniques by other threat groups to misattribute the targeted attack. In this particular campaign, the use of credwiz.exe could possibly be attributed to APT DarkHotel which does target India in various sectors like defense and military. Also, a similar attack chain has been found to be carried out by the APT DarkHotel Group in which they load the malicious DUser.dll through a legitimate Windows 7 executable, rekeywiz.exe as shown in this report by the security provider, “Positive Technologies”. However, on searching hash of the loader “WORDICON.exe” on the public internet, the community response and matching signature points out to “Donot Team”.

Also, the vulnerability CVE-2017-11882 which is exploited in this campaign is very commonly used as an attack vector by various Nation-State and Cyber Crime threat actors. Volon Threat Research has published several reports on the exploitation of this vulnerability which could be accessed by Volon customers on Intelligear – Threat Intelligence Portal. We recommend organization(s) to apply to prioritize patching of CVE-2017-11882 if not already and in general we suggest organization(s) should regularly apply patches on windows systems/servers provided by Microsoft.

 

Indicators of Compromise

Main object

“Verification Form for PARICHAY Account.docx”

sha256      a9e13e59bbd9f4d3a494c88388f5e206ea507e55062fe09fff17e9a1b21be012

sha1           8568550875a7ad21d0a3b002fd21bfbfd9ed411e

md5           cd69176cf90f6156c5f36e1ef81b4dad

Dropped  files:

sha256      C:\Windows\Tasks\WORDICON.exe 70e2236e467d2b453e6c412d32d0bd0ab256603e50339b644d064de18dbcb539

sha256      C:\ProgramData\MicrosoftSDK\credwiz.exe 17eabfb88a164aa95731f198bd69a7285cc7f64acd7c289062cd3979a4a2f5bf

sha256      C:\ProgramData\MicrosoftSDK\DUser.dll 1d09e91d72c86216f559760da0f07acdc0cff8c0649c6e1782db1f20dcc7e48f

sha256      rt.rtf 6c0bd378ecd60d87f2b5b731723fa656dd7a08c039d9e0a7383b8aa9c2f3c5ba

Domains and URLs:

Domain     sparc[.]org[.]in

URL            hxxps://sparc[.]org[.]in/wp-content/uploads/2020/06/now/rt.rtf

Connections:

IP                157.245.108.79

IP                 164.68.108.22

IP                144.91.65.100

 

Report Credits : Chaitanya Haritash / Aditi Tanna 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Kapil has over 19 years experience performing multiple consulting, business development and operations profile in technology & finance sector.

Before founding Volon, he was based in Stockholm, Sweden and worked at Capgemini as Client Director and Business Development leader in Nordics.

Previously he worked at a PE (India Value Fund) owned Digital Media firm in London and also at Steria, a European listed company as a Member of India Operations Board. He spent his early career in M&A and Corporate Finance advisory at Ernst & Young and GE Capital in United States.

Kapil studied at London Business School and is also a qualified Chartered Accountant.

Sagar has over 23 years experience and has performed senior Finance and HR roles in various technology companies.

Before Volon, he worked as Head of Operations, India/Thailand at Scan-IT Pte. Ltd. (Subsidiary of ‘Scan-Group’, Danish Shipping and Logistics Company).

Sagar holds Diploma in Computer Science from Pune University.

Muslim has over 20 years of Information Security Experience with core focus on Cyber Threat Intelligence, Cyber Risk Management and Cyber security consulting.

Before Volon, he worked at FireEye Inc (US listed Cyber Security Firm) where he headed their Cyber Threat Intelligence Research team. Muslim also worked at iSIGHT Partners (later acquired by FireEye Inc) as one of the initial employees and set up their Cyber Threat Intelligence research team from scratch.

Previously, Muslim was based in Malaysia where he led the information security consulting practice for Network Security Solutions. Muslim is also credited with establishing national level CERT (and also a foreign) and consulting for various corporate CSIRTs.

Muslim holds Masters in Electronic and Communication from Devi Ahilya University.

Prabir has over 35 years of experience performing multiple operational, leadership, business development and sales profile in Government and Enterprise segments. He has more than 13 years of corporate experience, held multiple top-management positions including being on Board of Directors with exhibited Strategic & Sustainable business development traits, client acquisition skills & Sales achievements in domestic market. He comes from a versatile Military communication & IT background having served the Indian Army (Corps of Signals) for two decades before transiting to corporate sector.

Before taking up consulting assignment with VOLON, he led business development of Startup companies engaged in Info-Sec products, Software services and strategic sales in mid-sized IT system Integration Company in Delhi & NCR

Prabir is a full-time MBA from Faculty of Management Studies, Delhi University and also a B.Tech (Electronics & Communication) from JNU (MCTE).