Off-the-shelf RATs Targeting Pakistan

August 1, 2018 | Jose Manuel Martin
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

Introduction

We’ve identified a number of spear phishing campaigns with Pakistani themed documents, likely targeting the region. These spear phishing emails use a mix of different openly available malware and document exploits for delivery. These are served from the compromised domains www.serrurier-secours[.]be and careers.fwo.com[.]pk (a part of the Pakistani army). There are some clear trends in the themes of the decoy documents the attackers chose to include with file names such as:

pakistan as a phishing target

Summary

The first document we (and others) analysed contains a list with names of officers who are being promoted in the Pakistan Atomic Energy Commission:

This is probably a targeted attack, with a very few number of spam emails delivered to a selected bunch of people. Although the document is dated on December 2017, we’ve seen related malware dating back to June 2017. A number of these documents have been previously identified by users on Twitter.

We were surprised to find these documents drop a mix of low quality rats such as Pony and Netwire - normally more associated with ameteur attacks against banking credentials than something more targeted. As we’ve seen previously, the usage of openly available malware makes attribution difficult.

Analysis

When opened, the document drops several files. Among them, an encapsulated PostScript, identified by 6f3beaca4f864a15ac5eb70391a5e9e3. The corrupted EPS tries to exploit CVE-2015-2545, which allows an attacker to execute arbitrary code allocated inside an EPS header.

In this case, the code they are trying to execute is the payload identified as c97a22cbc20c1f2237e649abee8c92fb. This is a DLL file containing a malicious remote access tool. Its capabilities include sandbox evasion, local privilege escalation and remote code execution in the infected machine.

The packet also loads multiple system functions, commonly found in Windows malware families, allowing:

  • Processes and files creation/destruction.

  • Extract system information.

  • Take system snapshots.

  • Networking capabilities.

  • Privileges escalation.

The payload check for the system version, to find out if it is vulnerable to either remote code execution or local privilege escalation. The process flow found in the scene seems to exploit CVE-2016-7255. This exploits, which allows privilege escalation on a Windows machine, is triggered by a win32k.sys call to NtSetWindowLongPtr, for the index GWLP_ID on a window handler with WS_CHILD value on GWL_STYLE attribute. This vulnerability became very popular on November 2016, after hacker group APT28 used it to perform targeted attacks. The flow of the main escalation privileges thread is described in the picture.

The program uses a call to cmd.exe /k whoami, to verify whether the RCE has worked. The final payload dropped is a sample containing the infamous Netwire RAT. We found similar purpose packages dropped by some of the other documents mentioned. The attack pattern and some other indicators, like domain names, look similar to the Revenge RAT campaign analyzed by RSA Link security researchers.

Detection

We detect the malware used in these attacks in a number of ways across the host and the network.

Agent Detections

The AlienVault Agent is a lightweight, adaptable endpoint agent based on osquery and maintained by AlienVault. In USM Anywhere, the AlienVault Agent enables continuous endpoint monitoring, using the built-in AlienVault threat intelligence to automate endpoint queries and threat detection alongside your other network and cloud security events. This allows USM Anywhere to deliver endpoint detection and response (EDR), file integrity monitoring (FIM), and rich endpoint telemetry capabilities that are essential for complete and effective threat detection, response, and compliance.

The AlienVault Agent detects the following malicious activity during the attacks:

  • Suspicious Process Created by Microsoft Office Application

  • Core Windows Executable launched from Wrong Path

Network Detection Rules

ETPRO TROJAN NetWireRAT Keep-Alive

ETPRO TROJAN NetWire Variant

ETPRO TROJAN Netwire RAT Check-in

ETPRO TROJAN Fareit/Pony Downloader CnC response

ETPRO TROJAN Fareit/Pony Variant CnC Beacon

ETPRO TROJAN MSIL/Revenge-RAT CnC Checkin

ET POLICY PE EXE or DLL Windows file download HTTP

ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)

USM Anywhere Correlation Rules

Detect this malware activity with the following correlation rules:

System Compromise - Malware Infection - Remote Access Trojan

System Compromise - Malware Infection - Downloader

System Compromise - Malware Infection - Dropper

System Compromise - Malware Infection - Trojan

Thanks to Chris Doman and Javvad Malik for collaboration.

Appendix

Related analysis by users on Twitter

https://twitter.com/securitydoggo/status/926144466674647041

https://twitter.com/avman1995/status/905694140788219904

https://twitter.com/ImPureMotion/status/906216798986670080

File-Hashes

027E4C6C51E315F0E49F3644AF08479303A747ED55ECBA5AA0AE75C27CD6EFEB

81E518E094D597965F578F6F42C22C363450E8FB8D33C0A9568254CA048C15E6

096012A5A9CF483FE0BDCD5A1030CC4D85B8E5296609FDC3632F2337A897A394

291CA9E4AA9DB88635A89CB58F8DBF49E60ABDDBBCEC1C4A611EF4192BFC6D24

2BE03E829856AD2FF772BA1F5074D4EAFBF3ECAB8D97794D1CC6589E043E3A28

2E219FC95D7B44D8B0E748628E559A9EC79A068B90FE162B192DAA8CF8D6F3EE

40E9287FF8828FB0E6BAEDCFF873E8E35520C6227200F1C84B63446F07A59289

48463E268ACB50FFBCB27EAFF46F757486A985FFC2D10F35AE1B9422660A20D2

4BA13ADD1AA8AE3FFFCB83F9B0990A6CD8B8912FC0E26811D0211F72AAAA7C79

82CE7DFFEF284571CA21EB240869148B7F3583D9CB95EBDC42C77536DCCC9060

855AD4DCB9C5502D6EF73528704046CACF006770FD4AF23259CB33E7577CD205

F110283C4E459CC20E908267D88EDBA26E2135BCB7D7335CABBED1A128EDEB86

A70CACC8BFFFC4A67171122FC424ED95FC3F89BC592D7489AACC666E5834F571

A8FA4C806D97E59DB0C42B574558A68942EADFE56286A66D90A8F6248A34CF43

URLs

http://careers.fwo.com[.]pk/css/microsoftdm.exe

http://careers.fwo.com[.]pk/css/printer.exe

http://sandipuniversity.edu[.]in/list/87_Copy.docx

http://www.serrurier-secours[.]be/.../China-Pakistan-Internet-Security-LAW_2017.doc

http://www.serrurier-secours[.]be/.../PAF%e2%80%99s%20first%20multinational%20air%20exercise%20ACES%20Meet%202017%20concludes%20in%20Pakistan.doc

https://www.serrurier-secours[.]be/.../Fazaia_Housing_Scheme_Notice_Inviting_Tenders.doc

https://www.serrurier-secours[.]be/.../Hajj%20Policy%20and%20Plan%202017.doc

https://www.serrurier-secours[.]be/.../Pakistan%20Air%20Force%20Jet%20Crashes%20During%20Routine%20Operation.doc

https://www.serrurier-secours[.]be/.../Sales%20-%20Tax%20&amp

Domains

0x0.ignorelist[.]com

Yara Rule

rule Pakistan_atomic_comission_dropped_dll

   {

   meta:

   description = "Pakistani Atomic Energy Commission Spearphishing dropped DLL"

   author = "Jose M Martin"

   date = "2018/07/10"

   hash = "027e4c6c51e315f0e49f3644af08479303a747ed55ecba5aa0ae75c27cd6efeb"

   strings:

   $s1 = "ExploitTagMenuState start" fullword ascii

   $s2 = "ExploitTagMenuState end" fullword ascii

   $s3 = "DonorThread start" fullword ascii

   $s4 = "EscalateThread start" fullword ascii

   $s5 = "EscalatePrivilegesOld start" fullword ascii

   $s6 = "EscalatePrivilegesWow" fullword ascii

   condition:

uint16(0) == 0x5A4D and filesize < 30KB and (any of them)

}

Jose Manuel Martin

About the Author: Jose Manuel Martin
Jose is a Security Researcher and a part of the AlienVault Labs team. His interest in development led Jose to work as an Application Security Engineer and Scrum Master in the past. Nowadays he enjoys watching old-fashioned movies, researching threat models, and finding new mechanisms to detect malware. Also, he is an enthusiast of information theory and physics.
Read more posts from Jose Manuel Martin ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL