On May 18, 2016, FireEye Labs observed a suspected Pakistan-based APT group sending spear phishing emails to Indian government officials. This threat actor has been active for several years and conducting suspected intelligence collection operations against South Asian political and military targets.
This group frequently uses a toolset that consists of a downloader and modular framework that uses plugins to enhance functionality, ranging from keystroke logging to targeting USB devices. We initially reported on this threat group and their UPDATESEE malware in our FireEye Intelligence Center in February 2016. Proofpoint also discussed the threat actors, whom they call Transparent Tribe, in a March blog post.
In this latest incident, the group registered a fake news domain, timesofindiaa[.]in, on May 18, 2016, and then used it to send spear phishing emails to Indian government officials on the same day. The emails referenced the Indian Government’s 7th Central Pay Commission (CPC). These Commissions periodically review the pay structure for Indian government and military personnel, a topic that would be of interest to government employees.
Malware Delivery Method
In all emails sent to these government officials, the actor used the same attachment: a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload.
In previous incidents involving this threat actor, we observed them using malicious documents hosted on websites about the Indian Army, instead of sending these documents directly as an email attachment.
The email (Figure 1) pretends to be from an employee working at Times of India (TOI) and requests the recipient to open the attachment associated with the 7th Pay Commission. Only one of the recipient email addresses was publicly listed on a website, suggesting that the actor harvested the other non-public addressees through other means.
Figure 1: Contents of the Email
A review of the email header data from the spear phishing messages showed that the threat actors sent the emails using the same infrastructure they have used in the past.
Despite being an older vulnerability, many threat actors continue to leverage CVE-2012-0158 to exploit Microsoft Word. This exploit file made use of the same shellcode that we have observed this actor use across a number of spear phishing incidents.
Figure 2: Exploit Shellcode used to Locate and Decode Payload
The shellcode (Figure 2) searches for and decodes the executable payload contained in memory between the beginning and ending file markers 0xBABABABA and 0xBBBBBBBB, respectively. After decoding is complete, the shellcode proceeds to save the executable payload into %temp%\svchost.exe and calls WinExec to execute the payload. After the payload is launched, the shellcode runs the following commands to prevent Microsoft Word from showing a recovery dialog:
Lastly, the shellcode overwrites the malicious file with a decoy document related to the Indian defense forces’ pay scale / matrix (Figure 3), displays it to the user and terminates the exploited instance of Microsoft Word.
Figure 3: Decoy Document related to 7th Pay Commission
The decoy document's metadata (Figure 4) suggests that it was created fairly recently by the user “Bhopal”.
Figure 4: Metadata of the Document
The payload is a backdoor that we call the Breach Remote Administration Tool (BreachRAT) written in C++. We had not previously observed this payload used by these threat actors. The malware name is derived from the hardcoded PDB path found in the RAT: C:\Work\Breach Remote Administration Tool\Release\Client.pdb. This RAT communicates with 126.96.36.199, a command and control (C2) IP address that this group has used previously with other malware, including DarkComet and NJRAT.
The following is a brief summary of the activities performed by the dropped payload:
1. Decrypts resource 1337 using a hard-coded 14-byte key "MjEh92jHaZZOl3". The encryption/decryption routine (refer to Figure 5) can be summarized as follows:
Figure 5: Encryption/ Decryption Function
- Generate an array of integers from 0x00 to 0xff
- Scrambles the state of the table using the given key
- Encrypts or decrypts a string using the scrambled table from (b).
- A python script, which can be used for decrypting this resource, is provided in the appendix below.
2. The decrypted resource contains the C2 server’s IP address as well as the mutex name.
3. If the mutex does not exist and a Windows Startup Registry key with name “System Update” does not exist, the malware performs its initialization routine by:
- Copying itself to the path %PROGRAMDATA%\svchost.exe
- Sets the Windows Startup Registry key with the name “System Update” which points to the above dropped payload.
4. The malware proceeds to connect to the C2 server at 188.8.131.52 at regular intervals through the use of TCP over port 10500. Once a successful connection is made, the malware tries to fetch a response from the server through its custom protocol.
5. Once data is received, the malware skips over the received bytes until the start byte 0x99 is found in the server response. The start byte is followed by a DWORD representing the size of the following data string.
6. The data string is encrypted with the above-mentioned encryption scheme with the hard-coded key “AjN28AcMaNX”.
7. The data string can contain various commands sent by the C2 server. These commands and their string arguments are expected to be in Unicode. The following commands are accepted by the malware:
As with previous spear-phishing attacks seen conducted by this group, topics related to Indian Government and Military Affairs are still being used as the lure theme in these attacks and we observed that this group is still actively expanding their toolkit. It comes as no surprise that cyber attacks against the Indian government continue, given the historically tense relations in the region.
Encryption / Decryption algorithm translated into Python