In November last year, I blogged about Operation Mangal , an ongoing targeted attack campaign against several Indian domestic and overseas organizations. I was actively tracking the campaign since last year. In my previous analysis of this attack I uncovered several exploits that were politically themed and closely connected to India’s developmental agenda. The exploits lured victims into opening malicious documents that compromised their machines and stole confidential data. We found that this campaign has been going on since 2010 with periodic variations in the malware families.
Since January this year, we have seen a steady flow of similar exploits as part of this campaign. These exploits continue to be politically themed and closely follow national events. The following are some recent exploit filenames or themes:
- Indian Diplomacy At Work — UNSC Reforms.doc (MD5: faa97d7c792e3d8e7fffa9ea755c8efb; first seen: Oct 31, 2014).
- Vibrant Gujarat Summit 2015.doc (MD5: b44a0ebddabee48c1d18f1e24780084b; first seen: Jan 6).
- U.S.,_India_to_formulate_smart_city_action_plans_in_three_months.doc (MD5: b0ae36bcf725d53ed73126ed56e55951; first seen: Jan 28).
During late 2014 and early 2015, the attackers modified the shellcode and the dropped malware family, continuously changing their tools and techniques. Some of the recent exploits involved in this campaign has been found to be dropping PlugX malware . The following images show how the shellcode has been modified between exploits observed on January 6 (at left) and January 28 (at right).
While researching this campaign , I was able to gain access to one interim control server, which appears to be the short-term registration server that the compromised host communicates with after decoding the first-stage URL. The directory structure of the control server is:
/cms:
This directory holds all the client data in JavaScript Object Notation from compromised machines connected to this server. The following image shows the directory structure and the information stored in the file:
Filename: h_HOST-NAME_TIMEVAR_t. All the machine information (IP, MAC, OS type, hostname, OS version, infection time stamp, etc.) was recorded on the remote server with this filename.
Next we see how the machine information looks on the control server, highlighting the infection time stamp from late last year:
Filename: r_off_PCNAME_TIME_TIME_t. This holds base-64 encoded data for command-line outputs that ran on the compromised host.
Decoding this data reveals the command that was executed on the compromised host and also exposes the list of documents and files on the machine that could have been stolen.
Filename: c_HOSTNAME_TIME_t. This file holds an encoded WMI script or script variables in the following form:
which turns out to be a readable WMI script when decoded:
Filename: d_rdown_HOSTNAME_TIME_t. This file is uploaded from the compromised host to the control server.
Filename: rdown_HOSTNAME_TIME_t. This file is downloaded from the control server to the compromised machine. It could contain post-exploitation tools to run on the host.
/tools:
The tools directory hosts several post-exploitation tools and malware to be downloaded from the control server to run on compromised machines. We found malicious DLLs, rootkits, encoded JavaScript malware, and cab files. One of the WMI scripts is an installer for other malware:
I have been able to track down the location of many of this campaign’s control servers, primarily in the United States and China. More than 60% of the servers were hosted in the United States and more than 20% were hosted in China.
Attackers are continuously on the lookout for social engineering opportunities. Influencing targeted users to open malicious documents following national events is one the most effective and effortless ways of performing these espionage attacks. Users need to exercise extreme caution when opening documents from unknown sources and use patched software.
I would like to thank my fellow researcher Brad Arndt for assistance in researching and tracking this campaign.
No comments:
Post a Comment