Monday, December 1, 2014

Operation Mangal - Win32 / Syndicasec Used In Targeted Attacks Against Indian Government Organizations - Part-1 : Exploits, Attack Timeline And Targets


During the period of last couple of months, we’ve observerd several RTF exploits floating around in the wild, targeting multiple Indian government organizations. Series of RTF exploits , first of which was found to be around by on 21st August 2014 , subsequently, multiple variants of the same exploit has been seen until end of September and through October . Contents of the documents are politically themed , targetting multiple local and overseas Indian government establishments.

Recent political reforms undertaken by the new Indian government, Prime Minister’s visit to Japan and United States as well as meeting with the Chinese president, recent UNSC reforms and series of the other similar political events has generated quite a movement within the APT actors. I believe this could be a part of a possible campaign, involving a group of APT actors, targeting positive political movements and disrupting the intent of developing and strengthening the bilateral ties with the neighbouring countries and United States.

I've decided to dub this wave of attack as "Operation Mangal" based on the original name of the APT and ISRO's recent MangalYaan's success that has distinguished India as a whole from the rest of the world.

Vulnerability :

All the RTF exploits has been found to be exploiting the old and already patched Microsoft Word ActiveX control vulnerability CVE-2012-0158. It has already been used in several targeted campaigns in the past and continues to be popular in ongoing targeted attack campaigns. Exploit laden doc files has been found in the wild with the following filenames:

Modi’s foreign policy agenda.rtf
ASEAN-India Agreemnet On Investment.doc
Planning Commission Reform Note FINAL.doc
High Speed Railways.doc
ASEAN-India Comprehensive Brief 2014.doc
Bilateral.doc

Attack vector :

Attack is believed to be carried out via the RTF exploit ( CVE-2012-0158) as an attachment to the possible spear phishing emails targeting Indian organizations. On launching the exploit , it drops the executable with the filename dw20.exe in the %temp% directory following the drop of gupdate.exe at the same location which connects to the multiple C&C in the staged fashion. Following is the high level picture of how the attack works :

Overall working of the attack
















Below is the visualization of the timeline of this attack over the period of last 3 months :














Exploit Analysis :

All the RTF exploits used in this campaign uses the staged shellcode . However , noticing the shellcode in the exploit is fairly straightforward and uses the known technique of resolving the API names from its hashes.












Once the APIs are resolved , it tries to locate itself in the memory by enumerating the file handles and then reads the 1st stage shellcode in the allocated virtual memory which is then used to decrypt the 2nd stage shellcode.




















Below is the routine from the 1st stage shellcode that decrypts to the 2nd stage and then jumps to it.














"Datastore" of the RTF exploit contains the embedded XORed executable which is accessed by 2nd stage shellcode .












2nd stage shellcode then decrypts the embedded binary and the embedded decoy document using the same decryption algorithm , eventually droping them in the %Temp% directory with the name dw20.exe , executing it.

















Here is how the complete shellcode looks like :























Some of the other decoy documents that has been found in the ongoing campaign : 













Based on the further research on the origin of this targeted attacks against India , I believe , this campaign had been going on since 2010 during which this threat was active in the limited geographical location in Nepal and China. Subsequently,during this span of 4 years, several different families of malware could have been used to exfilterate the information from multiple compromised machines within targeted Indian organizations . 

Based on the nature and theme of the exploits used in the attack, it leads me to believe that this could be a continued attempt of cyber espionage against India with the intent to steal the confidential data and documents that could be of the national interest.

In this wave , I believe the following organization were targeted using multiple variants of RTF exploits taking advantage of the same vulnerability.

  • Indian embassies in United States and China
  • Military / Defence educational institutions in India
  • Institute of Defence Analysis and Studies , India
  • Defence Intelligence Agency under Ministry of Defence in India
A while back when taking a closer look at this attack, I came across a very interesting paper that was published way back in 2010 , elucidating similar espionage attempt against India and very closely relating to this ongoing attack with the similar targets . It perhaps clears out the way to perceive that this is a closely knit group of APT authors focusing on this locality . 


In the next part , I would take a deep dive into the family of malware dropped by these exploits and its network communications to get the better visualization of the techniques used and how this threat works as a whole.


No comments:

Post a Comment