On May 18, 2016, FireEye Labs observed a suspected
Pakistan-based APT group sending spear phishing emails to Indian
government officials. This threat actor has been active for several
years and conducting suspected intelligence collection operations
against South Asian political and military targets.
This group frequently uses a toolset that consists of a downloader
and modular framework that uses plugins to enhance functionality,
ranging from keystroke logging to targeting USB devices. We initially
reported on this threat group and their UPDATESEE malware in our
FireEye Intelligence Center in February 2016. Proofpoint also
discussed the threat actors, whom they call Transparent
Tribe, in a March blog post.
In this latest incident, the group registered a fake news domain,
timesofindiaa[.]in, on May 18, 2016, and then used it to send spear
phishing emails to Indian government officials on the same day. The
emails referenced the Indian Government’s 7th
Central Pay Commission (CPC). These Commissions periodically
review the pay structure for Indian government and military personnel,
a topic that would be of interest to government employees.
Malware Delivery Method
In all emails sent to these government officials, the actor
used the same attachment: a malicious Microsoft Word document that
exploited the CVE-2012-0158
vulnerability to drop a malicious payload.
In previous incidents involving this threat actor, we observed them
using malicious documents hosted on websites about the Indian Army,
instead of sending these documents directly as an email attachment.
The email (Figure 1) pretends to be from an employee working at
Times of India (TOI) and requests the recipient to open the attachment
associated with the 7th Pay Commission. Only one of the recipient
email addresses was publicly listed on a website, suggesting that the
actor harvested the other non-public addressees through other means.
Figure 1: Contents of the Email
A review of the email header data from the spear phishing messages
showed that the threat actors sent the emails using the same
infrastructure they have used in the past.
Despite being an older vulnerability, many threat actors
continue to leverage CVE-2012-0158
to exploit Microsoft Word. This exploit file made use of the same
shellcode that we have observed this actor use across a number of
spear phishing incidents.
Figure 2: Exploit Shellcode used to Locate and Decode Payload
The shellcode (Figure 2) searches for and decodes the executable
payload contained in memory between the beginning and ending file
markers 0xBABABABA and 0xBBBBBBBB, respectively. After decoding is
complete, the shellcode proceeds to save the executable payload into
%temp%\svchost.exe and calls WinExec to execute the payload. After the
payload is launched, the shellcode runs the following commands to
prevent Microsoft Word from showing a recovery dialog:
Lastly, the shellcode overwrites the malicious file with a decoy
document related to the Indian defense forces’ pay scale / matrix
(Figure 3), displays it to the user and terminates the exploited
instance of Microsoft Word.
Figure 3: Decoy Document related to 7th Pay Commission
The decoy document’s metadata (Figure 4) suggests that it was
created fairly recently by the user “Bhopal”.
Figure 4: Metadata of the Document
The payload is a backdoor that we call the Breach Remote
Administration Tool (BreachRAT) written in C++. We had not previously
observed this payload used by these threat actors. The malware name is
derived from the hardcoded PDB path found in the RAT: C:\Work\Breach
Remote Administration Tool\Release\Client.pdb. This RAT communicates
with 188.8.131.52, a command and control (C2) IP address that this
group has used previously with other malware, including DarkComet and NJRAT.
The following is a brief summary of the activities performed by the
1. Decrypts resource 1337 using a hard-coded 14-byte key
"MjEh92jHaZZOl3". The encryption/decryption routine (refer
to Figure 5) can be summarized as follows:
Figure 5: Encryption/ Decryption Function
- Generate an array of integers from 0x00 to 0xff
- Scrambles the state of the table using the given key
- Encrypts or decrypts a string using the scrambled table from
- A python script, which can be used for decrypting this
resource, is provided in the appendix below.
2. The decrypted resource contains the C2 server’s IP address as
well as the mutex name.
3. If the mutex does not exist and a Windows Startup Registry key
with name “System Update” does not exist, the malware performs its
initialization routine by:
- Copying itself to the path %PROGRAMDATA%\svchost.exe
- Sets the Windows Startup Registry key with the name “System
Update” which points to the above dropped payload.
4. The malware proceeds to connect to the C2 server at 184.108.40.206
at regular intervals through the use of TCP over port 10500. Once a
successful connection is made, the malware tries to fetch a response
from the server through its custom protocol.
5. Once data is received, the malware skips over the received bytes
until the start byte 0x99 is found in the server response. The start
byte is followed by a DWORD representing the size of the following
6. The data string is encrypted with the above-mentioned encryption
scheme with the hard-coded key “AjN28AcMaNX”.
7. The data string can contain various commands sent by the C2
server. These commands and their string arguments are expected to be
in Unicode. The following commands are accepted by the malware:
As with previous spear-phishing attacks seen conducted by this
group, topics related to Indian Government and Military Affairs are
still being used as the lure theme in these attacks and we observed
that this group is still actively expanding their toolkit. It comes as
no surprise that cyber attacks against the Indian government continue,
given the historically tense relations in the region.
Encryption / Decryption algorithm translated into Python
This is a Security Bloggers Network syndicated blog post authored by Nick Harbour. Read the original post at: Threat Research Blog