Targeted Attack on Government Agencies
The Trellix Email Security Research Team has discovered a malicious campaign targeting government agencies of Afghanistan, India, Italy, Poland, and the United States since 2021. The attack starts with a spear phishing email with a geo-political theme. The spear phishing emails were themed around India Afghanistan relationship. Attacker used politics as a lure to trick users into clicking on a malicious link. The email used for this phishing attack contains an attachment or a weaponized URL that delivers an Excel sheet. Upon opening the Excel sheet, Excel executes an embedded malicious macro which then decrypts and installs a Remote Access Trojan (AysncRAT & LimeRAT) and maintains persistence. Once the Remote Access Trojan is installed on the victim machine, it establishes communication with a Command-and-Control server used to exfiltrate victim data. The Remote Access Trojan is capable of taking screenshots, capturing keystrokes, recording credentials/confidential information, and adding infected systems to botnets. It can also perform network discovery and move laterally to other systems in the affected organization. The email used in this attack originated from the South Asia region which suggests the involvement of a South Asian threat actor. Trellix Email Security has detection coverage for this malicious campaign.
The Trellix Email Security product can follow the entire attack chain and analyze the final payload. In this scenario, it followed the chain: EMAIL -> URL -> ZIP -> XLS -> Macro. Finally, our threat database was able to detect the malicious macro performing decryption, creating an executable object, performing process injection, and utilizing other malicious techniques. Trellix Email Security has detection for the malicious Excel sheet with name - FE_APT_Dropper_Macro_DoubleHide_1.
As seen in Figure 2, the attack was active for over a year. The attacker sent emails for a short interval and then went back into hiding. This was followed by subsequent similar waves. The first wave of attack was noticed during March-April 2021, followed by another in July 2021, then again in December 2021, and most recently during end of March 2022.
The attackers used the free mail service Gmail to send the spear phishing emails. Based on email header analysis, it was evident that the emails originated from Google servers and were sent from the South Asia region. The time zone of the email sender (+0500 UTC) further suggests the involvement of South Asian threat actors.
The spear phishing email was themed around geopolitical news related to India like "Indian Nationals ( who were hidden in Kabul ) Killing in Kabul Tonight" and “Indian workers missing from the dam project.” More recently, the email used a COVID theme with the subject - "31 Covid Deaths In 24 Hours: Information campaign by NDTV". The email had a Google drive link serving a malicious ZIP file. In some cases, the malicious ZIP was sent as an email attachment. The ZIP contains an Office document which is used to drop a RAT (Remote Access Trojan).
The document file (DOC/XLS) acts as a dropper, which drops and executes a file named "msword.exe". The Excel sheet contains a VBA macro which is enabled when the document file is opened. The malicious executable code is stored in the document file itself (within a form text field) in the base64 encoded format. The VBA macro reads the base64 content, decodes it, and then decrypts the decoded content with a hardcoded XOR key. Multiple levels of base64 decoding and XOR decryption are used to obfuscate the malicious executable file.
XOR Key :
“msword.exe” is an SFX archive executable, which contains multiple malicious executable files as shown in Figure 10.
|File name||File info|
|3_5||LimeRAT [Runtime: .Net Framework 2.0]|
|4||AsyncRAT [Runtime: .Net Framework 4]|
|4_5||AsyncRAT [Runtime: .Net Framework 4.5]|
|4_5_1||AsyncRAT [Runtime: .Net Framework 4.5.1]|
|4_5_2||AsyncRAT [Runtime: .Net Framework 4.5.2]|
|4_6||AsyncRAT [Runtime: .Net Framework 4.6]|
|4_6_1||AsyncRAT [Runtime: .Net Framework 4.6.1]|
|4_7||AsyncRAT [Runtime: .Net Framework 4.7|
|4_7_2||AsyncRAT [Runtime: .Net Framework 4.7.2]|
|igfx.exe||Delphi compiled file installs RAT file according to available .Net version|
Upon execution, "msword.exe" drops the RAT files shown in the table above. These RAT executables are obfuscated using “Crypto Obfuscator For .Net”. “msword.exe” then starts the process “igfx.exe” which performs the following actions:
- Checks the .NET version in the registry; based on the installed version, renames the compatible RAT file to “excel.exe”
- Checks the registry keys to determine the .NET version in the order listed below. If found, a version of the runtime file (AsyncRAT) is picked corresponding to the .NET version. If none of the registry keys are found, the file “3_5” (LimeRAT) is used.
- HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4
- HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.5
- HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.5.1
- HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.5.2
- HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.6
- HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.6.1
- HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.7
- HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.7.2
- Sets the file attributes of “excel.exe” to hidden and read-only.
- Adds a “Run” registry entry for persistence.
- Deletes the unused RAT executable files.
- Starts the “excel.exe” process.
Async rat settings configuration
- Ports = "6606”
- Hosts = "188.8.131.52"
- Version = "2.5.7b"
- Install = "false"
- InstallFolder = "AppData"
- InstallFile = "msexcl.exe"
- Key = "MZ-RX
- MTX = "%MTX%";
- Certificate = "%Certificate%"
- Serversignature = "%Serversignature%"
- X509Certificate2 ServerCertificate;
- Anti = "false";
- Aes256 aes256 = new Aes256(Key);
- Pastebin = "null";
- BDOS = "false";
- Delay = "24";
- Group = "Debug";
Async rat commands
- Server Commands
|pong||Get interval from client|
|plugin||Run/Load plugin file|
|saveplugin||Save and Run plugin file|
- Client Commands:
|clientinfo||Send system info to server|
|sendplugin||Get plugin from server|
Lime rat settings configuration
- Pastebin = "https://pastebin.com/raw/DDTVwwbu"
- HOST = "184.108.40.206"
- PORT = "8989"
- EncryptionKey = "MZRX"
- ENDOF = "|'N'|"
- SPL = "|'L'|"
- EXE = "CLIENT.exe"
- USB = "false"
- PIN = "false"
- ANTI = "false"
- DROP = "false"
- PATH1 = "Temp"
- PATH2 = "\Lime\"
- fullpath = Environ(PATH1) & PATH2 & EXE
- BTC_ADDR = "THIS IS YOUR BTC 1234567890" 'Bitcoin address
- DWN_CHK = "true"
- DWN_LINK = ""
- Delay = "3"
Lime rat commands
- Server Commands
|ICAP||Capture screen Thumbnail|
|CPL||Check if plugin is installed|
|IPL||Save plugin and then load it (server send plugin)|
|IPLM||Load plugin without saving it (server send plugin)|
- Client Commands
|INFO||Sends system info|
|IP||Ping to server|
|GPL||Get plugin from server|
These RATs can extend their capabilities using existing or user-defined plugins. At the time of analysis both AsyncRAT and LimeRAT were not getting responses from the C2 server “220.127.116.11”
Detections and Indicators
MITRE ATT&CK Techniques
|T1071||Application Layer Protocol||HTTP/DNS requests are used in the C&C traffic|
|T1036||Masquerading||The registered task/service pretends to be benign by name|
|T1056||Input Capture||Keylogging capabilities|
|T1113||Screen Capture||Can capture the screen of the victim|
|T1115||Clipboard Data||Collect data stored in the clipboard from users copying information within or between applications.|
|T1049||System Network Connections Discovery||Performs network discover for lateral movement into network|
|T1547||Boot or Logon Autostart Execution||Run entry is made when persisting via the registry|
|T1204||User Execution||Opening malicious xls to execute macro|
|T1041||Exfiltration Over C2 Channel||Send stolen data using CNC channel|
|T1137||Office Template Macros||Execute malicious code upon macro execution|
|9th Herat Security Dialogue (HSD- IX) & Chabahar port Update|
|Information & Guidance|
|Fwd: Combined MoFA Recruitment Approval|
|Guests List - Media Release (Personal & Confidential)|
|Indian workers missing from the dam project|
|Indian Nationals ( who were hidden in Kabul ) Killing in Kabul Tonight|
|11 Indian Nationals found dead in Kabul|
|Indian Nationals Killing in Kabul|
|31 Covid Deaths In 24 Hours: Information campaign by NDTV|
Sep 28, 2022
Trellix Empowers Next Generation of Cybersecurity Talent at Xpand Live
Sep 28, 2022
Trellix Accelerates Channel Success Through Unified Partner Program and Expanded Security Innovation Alliance
Sep 28, 2022
Trellix Expands XDR Platform to Transform Security Operations
Sep 26, 2022
60% of Cybersecurity Professionals Feel They Are Losing Ground Against Cybercriminals
Sep 21, 2022
Trellix Launches Advanced Research Center, Finds Estimated 350K Open-Source Projects at Risk to Supply Chain Vulnerability
By Britt Norwood · August 30, 2022
Our team understands the critical role organizations like AWS play in efforts to drive premium threat detection no matter a customer’s security architecture. We continuously look for partners with a similar desire to grow and innovate to relieve pain points for SecOps teams.
This blog is the third and final of a multi-part series focused on vulnerability discovery in a widely used access control system and describes our research journey from target acquisition all the way through exploitation, beginning with the vendor and product selection and a deep dive into the hardware hacking techniques.
Get the latest
We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.