In November last year, McAfee Labs researchers reported about Operation Mangal, an ongoing targeted attack campaign against several Indian domestic and overseas organizations. We have actively tracked the campaign since last year. In our previous analysis of this attack, we uncovered several exploits that were closely connected to India’s developmental agenda. These exploits lure victims into opening malicious documents that compromise their machines and steal confidential data. We found that this targeted campaign has been going on since 2010 with periodic variations in the malware families.
The recently appointed government and heightened activity on the domestic front has led to considerable interest from organizations and consumers. Since January this year, we have seen a steady flow of similar exploits as part of this campaign. These exploits continue to closely follow national events.
Following are some recent exploit filenames or themes:
- Indian Diplomacy At Work–UNSC Reforms.doc (MD5: faa97d7c792e3d8e7fffa9ea755c8efb; first seen: Oct 31, 2014).
- Vibrant Gujarat Summit 2015.doc (MD5: b44a0ebddabee48c1d18f1e24780084b; first seen: Jan 6).
- U.S.,_India_to_formulate_smart_city_action_plans_in_three_months.doc (MD5: b0ae36bcf725d53ed73126ed56e55951; first seen: Jan 28).
During late 2014 and early 2015, the attackers modified the shellcode and the dropped malware family, continuously changing their tools and techniques. Some of the recent exploits involved in this campaign drop PlugX malware. The following images show how the shellcode has been modified between exploits observed on January 6 (at left) and January 28 (at right).
While researching this campaign, we gained access to one interim control server, which appears to be the short-term registration server that the compromised host communicates with after decoding the first-stage URL. The directory structure of the control server is:
Filename: h_HOST-NAME_TIMEVAR_t. All the machine information (IP, MAC, OS type, hostname, OS version, infection time stamp, etc.) was recorded on the remote server with this filename.
Next we see how the machine information looks on the control server, highlighting the infection time stamp from late last year:
Filename: r_off_PCNAME_TIME_TIME_t. This holds base-64-encoded data for command-line outputs that ran on the compromised host.
Decoding this data reveals the command executed on the compromised host and also exposes the list of documents and files on the machine that could have been stolen.
Filename: c_HOSTNAME_TIME_t. This file holds an encoded WMI script or script variables in the following form:
which turns out to be a readable WMI script when decoded:
Filename: d_rdown_HOSTNAME_TIME_t. This file is uploaded from the compromised host to the control server.
Filename: rdown_HOSTNAME_TIME_t. This file is downloaded from the control server to the compromised machine. It could contain postexploitation tools to run on the host.
We have tracked down the location of many of this campaign’s control servers, primarily in the United States and China. More than 60% of the servers were hosted in the United States and more than 20% were hosted in China.
McAfee Advanced Threat Defense
McAfee Advance Threat Defense provides coverage for all of these exploits as well as for the dropped files involved in this attack.
Attackers are continuously on the lookout for social engineering opportunities. Influencing targeted users to open malicious documents following national events is one the most effective and effortless ways of performing these attacks. Users need to exercise extreme caution when opening documents from unknown sources, and use patched software.
I would like to thank my fellow researcher Brad Arndt for assistance in researching and tracking this campaign.
Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.