Targeted Attack on Government Agencies
The Trellix Email Security Research Team has discovered a malicious campaign targeting government agencies of Afghanistan, India, Italy, Poland, and the United States since 2021. The attack starts with a spear phishing email with a geo-political theme. The spear phishing emails were themed around India Afghanistan relationship. Attacker used politics as a lure to trick users into clicking on a malicious link. The email used for this phishing attack contains an attachment or a weaponized URL that delivers an Excel sheet. Upon opening the Excel sheet, Excel executes an embedded malicious macro which then decrypts and installs a Remote Access Trojan (AysncRAT & LimeRAT) and maintains persistence. Once the Remote Access Trojan is installed on the victim machine, it establishes communication with a Command-and-Control server used to exfiltrate victim data. The Remote Access Trojan is capable of taking screenshots, capturing keystrokes, recording credentials/confidential information, and adding infected systems to botnets. It can also perform network discovery and move laterally to other systems in the affected organization. The email used in this attack originated from the South Asia region which suggests the involvement of a South Asian threat actor. Trellix Email Security has detection coverage for this malicious campaign.
The Trellix Email Security product can follow the entire attack chain and analyze the final payload. In this scenario, it followed the chain: EMAIL -> URL -> ZIP -> XLS -> Macro. Finally, our threat database was able to detect the malicious macro performing decryption, creating an executable object, performing process injection, and utilizing other malicious techniques. Trellix Email Security has detection for the malicious Excel sheet with name - FE_APT_Dropper_Macro_DoubleHide_1.
As seen in Figure 2, the attack was active for over a year. The attacker sent emails for a short interval and then went back into hiding. This was followed by subsequent similar waves. The first wave of attack was noticed during March-April 2021, followed by another in July 2021, then again in December 2021, and most recently during end of March 2022.
The attackers used the free mail service Gmail to send the spear phishing emails. Based on email header analysis, it was evident that the emails originated from Google servers and were sent from the South Asia region. The time zone of the email sender (+0500 UTC) further suggests the involvement of South Asian threat actors.
The spear phishing email was themed around geopolitical news related to India like "Indian Nationals ( who were hidden in Kabul ) Killing in Kabul Tonight" and “Indian workers missing from the dam project.” More recently, the email used a COVID theme with the subject - "31 Covid Deaths In 24 Hours: Information campaign by NDTV". The email had a Google drive link serving a malicious ZIP file. In some cases, the malicious ZIP was sent as an email attachment. The ZIP contains an Office document which is used to drop a RAT (Remote Access Trojan).
The document file (DOC/XLS) acts as a dropper, which drops and executes a file named "msword.exe". The Excel sheet contains a VBA macro which is enabled when the document file is opened. The malicious executable code is stored in the document file itself (within a form text field) in the base64 encoded format. The VBA macro reads the base64 content, decodes it, and then decrypts the decoded content with a hardcoded XOR key. Multiple levels of base64 decoding and XOR decryption are used to obfuscate the malicious executable file.
XOR Key :
“msword.exe” is an SFX archive executable, which contains multiple malicious executable files as shown in Figure 10.
|File name||File info|
|3_5||LimeRAT [Runtime: .Net Framework 2.0]|
|4||AsyncRAT [Runtime: .Net Framework 4]|
|4_5||AsyncRAT [Runtime: .Net Framework 4.5]|
|4_5_1||AsyncRAT [Runtime: .Net Framework 4.5.1]|
|4_5_2||AsyncRAT [Runtime: .Net Framework 4.5.2]|
|4_6||AsyncRAT [Runtime: .Net Framework 4.6]|
|4_6_1||AsyncRAT [Runtime: .Net Framework 4.6.1]|
|4_7||AsyncRAT [Runtime: .Net Framework 4.7|
|4_7_2||AsyncRAT [Runtime: .Net Framework 4.7.2]|
|igfx.exe||Delphi compiled file installs RAT file according to available .Net version|
Upon execution, "msword.exe" drops the RAT files shown in the table above. These RAT executables are obfuscated using “Crypto Obfuscator For .Net”. “msword.exe” then starts the process “igfx.exe” which performs the following actions:
- Checks the .NET version in the registry; based on the installed version, renames the compatible RAT file to “excel.exe”
- Checks the registry keys to determine the .NET version in the order listed below. If found, a version of the runtime file (AsyncRAT) is picked corresponding to the .NET version. If none of the registry keys are found, the file “3_5” (LimeRAT) is used.
- HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4
- HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.5
- HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.5.1
- HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.5.2
- HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.6
- HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.6.1
- HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.7
- HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.7.2
- Sets the file attributes of “excel.exe” to hidden and read-only.
- Adds a “Run” registry entry for persistence.
- Deletes the unused RAT executable files.
- Starts the “excel.exe” process.
Async rat settings configuration
- Ports = "6606”
- Hosts = "22.214.171.124"
- Version = "2.5.7b"
- Install = "false"
- InstallFolder = "AppData"
- InstallFile = "msexcl.exe"
- Key = "MZ-RX
- MTX = "%MTX%";
- Certificate = "%Certificate%"
- Serversignature = "%Serversignature%"
- X509Certificate2 ServerCertificate;
- Anti = "false";
- Aes256 aes256 = new Aes256(Key);
- Pastebin = "null";
- BDOS = "false";
- Delay = "24";
- Group = "Debug";
Async rat commands
- Server Commands
|pong||Get interval from client|
|plugin||Run/Load plugin file|
|saveplugin||Save and Run plugin file|
- Client Commands:
|clientinfo||Send system info to server|
|sendplugin||Get plugin from server|
Lime rat settings configuration
- Pastebin = "https://pastebin.com/raw/DDTVwwbu"
- HOST = "126.96.36.199"
- PORT = "8989"
- EncryptionKey = "MZRX"
- ENDOF = "|'N'|"
- SPL = "|'L'|"
- EXE = "CLIENT.exe"
- USB = "false"
- PIN = "false"
- ANTI = "false"
- DROP = "false"
- PATH1 = "Temp"
- PATH2 = "\Lime\"
- fullpath = Environ(PATH1) & PATH2 & EXE
- BTC_ADDR = "THIS IS YOUR BTC 1234567890" 'Bitcoin address
- DWN_CHK = "true"
- DWN_LINK = ""
- Delay = "3"
Lime rat commands
- Server Commands
|ICAP||Capture screen Thumbnail|
|CPL||Check if plugin is installed|
|IPL||Save plugin and then load it (server send plugin)|
|IPLM||Load plugin without saving it (server send plugin)|
- Client Commands
|INFO||Sends system info|
|IP||Ping to server|
|GPL||Get plugin from server|
These RATs can extend their capabilities using existing or user-defined plugins. At the time of analysis both AsyncRAT and LimeRAT were not getting responses from the C2 server “188.8.131.52”
Detections and Indicators
MITRE ATT&CK Techniques
|T1071||Application Layer Protocol||HTTP/DNS requests are used in the C&C traffic|
|T1036||Masquerading||The registered task/service pretends to be benign by name|
|T1056||Input Capture||Keylogging capabilities|
|T1113||Screen Capture||Can capture the screen of the victim|
|T1115||Clipboard Data||Collect data stored in the clipboard from users copying information within or between applications.|
|T1049||System Network Connections Discovery||Performs network discover for lateral movement into network|
|T1547||Boot or Logon Autostart Execution||Run entry is made when persisting via the registry|
|T1204||User Execution||Opening malicious xls to execute macro|
|T1041||Exfiltration Over C2 Channel||Send stolen data using CNC channel|
|T1137||Office Template Macros||Execute malicious code upon macro execution|
|9th Herat Security Dialogue (HSD- IX) & Chabahar port Update|
|Information & Guidance|
|Fwd: Combined MoFA Recruitment Approval|
|Guests List - Media Release (Personal & Confidential)|
|Indian workers missing from the dam project|
|Indian Nationals ( who were hidden in Kabul ) Killing in Kabul Tonight|
|11 Indian Nationals found dead in Kabul|
|Indian Nationals Killing in Kabul|
|31 Covid Deaths In 24 Hours: Information campaign by NDTV|
Dec 4, 2023
Trellix Extends Virtual Intrusion Prevention System with AWS Gateway Load Balancer
Nov 28, 2023
Board Support Remains Critical as Majority of CISOs Experience Repeat Cyber Attacks
Nov 27, 2023
Trellix Announces Cybersecurity Generative AI Innovations Powered by Amazon Bedrock
Nov 22, 2023
Trellix Hosts Zero Trust Strategy Virtual Forum
Nov 16, 2023
Trellix Detects Collaboration by Cybercriminals and Nation-States
The latest from our newsroom
By Brian B. Brown · October 16, 2023
Get a recap of key learnings from the Ransomware Detection and Response Virtual Summit and learn to protect your organization against ransomware attacks.
By Nico Devoti · October 9, 2023
Trellix SIA Business Development lead explains the evolution of Trellix Security Innovation Alliance (SIA) partner program, its unique benefits, and why this should be top of mind for customers.
Get the latest
We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.
Zero spam. Unsubscribe at any time.