Attacks On Indian Organizations Continue – More Exploits Focused On Events

By on Mar 11, 2015

In November last year, McAfee Labs researchers reported about Operation Mangal, an ongoing targeted attack campaign against several Indian domestic and overseas organizations. We have actively tracked the campaign since last year. In our previous analysis of this attack, we uncovered several exploits that were closely connected to India’s developmental agenda. These exploits lure victims into opening malicious documents that compromise their machines and steal confidential data. We found that this targeted campaign has been going on since 2010 with periodic variations in the malware families.

The recently appointed government and heightened activity on the domestic front has led to considerable interest from organizations and consumers. Since January this year, we have seen a steady flow of similar exploits as part of this campaign. These exploits continue to closely follow national events.

Following are some recent exploit filenames or themes:

  • Indian Diplomacy At Work–UNSC Reforms.doc (MD5: faa97d7c792e3d8e7fffa9ea755c8efb; first seen: Oct 31, 2014).
  • Vibrant Gujarat Summit 2015.doc (MD5: b44a0ebddabee48c1d18f1e24780084b; first seen: Jan  6).
  • U.S.,_India_to_formulate_smart_city_action_plans_in_three_months.doc (MD5: b0ae36bcf725d53ed73126ed56e55951; first seen: Jan 28).

image_11

During late 2014 and early 2015, the attackers modified the shellcode and the dropped malware family, continuously changing their tools and techniques. Some of the recent exploits involved in this campaign drop PlugX malware. The following images show how the shellcode has been modified between exploits observed on January 6 (at left) and January 28 (at right).

image_12While researching this campaign, we gained access to one interim control server, which appears to be the short-term registration server that the compromised host communicates with after decoding the first-stage URL. The directory structure of the control server is:

/cms: 

This directory holds all the client data in JavaScript Object Notation from compromised machines connected to this server. The following image shows the directory structure and the information stored in the file:

Filename: h_HOST-NAME_TIMEVAR_t. All the machine information (IP, MAC, OS type, hostname, OS version, infection time stamp, etc.) was recorded on the remote server with this filename.

image_13Next we see how the machine information looks on the control server, highlighting the infection time stamp from late last year:

image1

image2Filename: r_off_PCNAME_TIME_TIME_t. This holds base-64-encoded data for command-line outputs that ran on the compromised host.

image_14Decoding this data reveals the command executed on the compromised host and also exposes the list of documents and files on the machine that could have been stolen.

image3

image4

Filename: c_HOSTNAME_TIME_t. This file holds an encoded WMI script or script variables in the following form:

image_15

which turns out to be a readable WMI script when decoded:

image16

Filename: d_rdown_HOSTNAME_TIME_t. This file is uploaded from the compromised host to the control server.

Filename: rdown_HOSTNAME_TIME_t. This file is downloaded from the control server to the compromised machine. It could contain postexploitation tools to run on the host.

/tools:

image_17

 

 

 

 

 

The tools directory hosts several postexploitation tools and malware to be downloaded from the control server to run on compromised machines. We found malicious DLLs, rootkits, encoded JavaScript malware, and cab files. One of the WMI scripts is an installer for other malware:

image_18We have tracked down the location of many of this campaign’s control servers, primarily in the United States and China. More than 60% of the servers were hosted in the United States and more than 20% were hosted in China.

image_19

 

McAfee Advanced Threat Defense

McAfee Advance Threat Defense provides coverage for all of these exploits as well as for the dropped files involved in this attack.

image_21

 

Attackers are continuously on the lookout for social engineering opportunities. Influencing targeted users to open malicious documents following national events is one the most effective and effortless ways of performing these attacks. Users need to exercise extreme caution when opening documents from unknown sources, and use patched software.

I would like to thank my fellow researcher Brad Arndt for assistance in researching and tracking this campaign.

About the Author

Chintan Shah

Chintan Shah is currently working as a Security Researcher with McAfee Intrusion Prevention System team and holds broad experience in the network security industry. He primarily focuses on Exploit and vulnerability research, building Threat Intelligence frameworks, Reverse engineering techniques and malware analysis. Chintan had researched and uncovered multiple targeted and espionage attacks in the past ...

Read more posts from Chintan Shah

Subscribe to McAfee Securing Tomorrow Blogs