- Cisco Talos recently discovered a threat actor using political and government-themed malicious domains to target entities in India and Afghanistan.
- These attacks use dcRAT and QuasarRAT for Windows delivered via malicious documents exploiting CVE-2017-11882 — a memory corruption vulnerability in Microsoft Office — and AndroidRAT to target mobile devices.
- The actor also uses a custom file enumerator and infector in their initial reconnaissance phase of the attack.
- The actor appears to be a lone wolf using a front company to run a crimeware campaign, possibly to establish initial footholds into high-value targets for future operations or monetary gain.
Cisco Talos has observed a new campaign targeting Afghanistan and India utilizing malicious RTF documents to deliver a variety of commodity malware to victims. The campaign consists of two phases: A reconnaissance phase that involves a custom file enumerator and infector to the victims and an attack phase that deploys a variety of commodity RATs, such as DcRAT and QuasarRAT.
How did it work?
The threat actor registered multiple domains with political and government themes. These domains hosted malware payloads that were distributed to their victims. Their malicious lures also contained themes related to Afghan entities, specifically diplomatic and humanitarian efforts. We assess with high confidence that the threat actor behind these attacks is an individual operating under the guise of a Pakistani IT firm called “Bunse Technologies.”
The infection chains consist of malicious RTF documents and PowerShell scripts that distribute malware to victims. We’ve also observed the usage of C#-based downloader binaries to deploy malware while displaying decoy images to victims to appear legitimate.
This campaign is a classic example of an individual threat actor employing political, humanitarian and diplomatic themes in a campaign to deliver commodity malware to victims. Commodity RAT families are increasingly being used by both crimeware and APT groups to infect their targets. These RATs are packed with multiple functionalities to achieve complete control over the victim’s endpoint - from preliminary reconnaissance capabilities to arbitrary command execution and data exfiltration. These families also act as excellent launch pads for deploying additional malware against their victims. Furthermore, these out-of-the-box features enable the attackers to make minimal configuration changes to the RATs taking away the need for a full-fledged development cycle of custom malware by an actor.
The use of a custom file enumerator and infector module by the attackers indicates their intent to proliferate by infecting benign, trusted documents to achieve an even greater degree of infection.
A typical infection would consist of a malicious document, such as an RTF file exploiting CVE-2017-11882, a stack overflow vulnerability that enables arbitrary code execution on a vulnerable version of Microsoft Office.
The recon phase deployed a custom file enumerator and infector module. This module aimed to discover all the different Office files on an infected endpoint. The infector module is meant to weaponize all .doc, .docx and .rtf files present in removable drives connected to the system to exploit CVE-2017-11882.
The attack phase consists of deploying RAT payloads, such as DcRAT and QuasarRAT, to the victim’s endpoint instead of the file recon and infector modules seen previously. All the malware observed in the attack phase of the campaign consisted of commodity RATs compiled and deployed with minimal changes.
In the beginning of 2021, the actor used a particularly interesting infection chain. The malicious RTF would exploit CVE-2012-11882 — a code execution vulnerability in Office — to execute a malicious PowerShell command (called Stage 1 here) to extract and execute the next stage PowerShell script (Stage 2).
Stage 1 base64 decodes the next-stage payload via certutil.exe, drops it to disk and executes it.
Stage 2 payload base64-encoded as a fake certificate in the maldoc.
Stage 2 is another PowerShell script that base64 decodes another payload (this time a loader executable) and activates it on the infected endpoint.
Stage 2 PowerShell script snippet.
Stage 3 — Loader
The loader executable begins by establishing persistence for itself via a shortcut in the current user’s Startup directory.
It then compiles hardcoded C# code into an executable assembly and invokes the entry point for the compiled malicious code. This malicious source code is a custom file enumerator and infector, which we’ll cover later.
Stage 4 — Final payload
The final payload is C# code compiled and invoked into the Stage 3 compiler process. This code consists of two key functionalities:
- File Enumerator: This component lists specific file types on the endpoint and sends the file paths to the C2.
- File Infector Modules: The infector modules here aren’t the popular executable infectors seen usually in the wild. These modules are used for infecting benign Office documents with malicious OLE objects to weaponize them to exploit CVE-2017-11882.
Subsequent infection chains used by the actor around July and August 2021 saw the introduction of infection chains with minor variations, now deploying RATs — including dcRAT — as the final payloads.
Again, these infection chains use malicious RTF documents exploiting CVE-2017-11882 to execute a Stage 2 PS1 script. The Stage 2 script would then create a BAT file on disk which would, in turn, execute another PowerShell command to download and activate the final payload on the infected endpoint.
The BAT file subsequently downloads the final payload from the remote location specified and executes it on the endpoint.
So far, we’ve observed the delivery of three types of payloads from the remote locations discovered in this phase of the campaign: DcRAT, QuasarRAT and a legitimate copy of the remote desktop client AnyDesk.
Final malicious payloads
These attacks deliver either of the three types of payloads to a target endpoint with the first being a legitimate copy of AnyDesk. This indicates a focus on manual operations where the actor would have logged into the infected devices to discern if the access was of any value.
Custom file enumerator and infector
We’ve also observed the use of a custom stealer and infector component delivered in early infection phases of the campaign as either:
- Hardcoded source code, compiled on the fly and invoked into the loader.
- Compiled binaries embedded in malicious RTFs.
It consists of four key functionalities:
Get the version number from the C2 server and download a newer version if needed.
The file enumerator lists files with specific file extensions via cmd.exe for every Fixed drive on the system. This information is recorded into a file on disk and subsequently exfiltrated to the C2. The files extensions of interest are: .docx, .xlsx, .xls, .doc, .ppt, .pptx, .pdf, .xlt, .xla, .xll, .pps, .pot and .inp.
File enumeration via cmd.exe.
Traditional file infectors usually target executables such as EXEs to infect targets with malicious code. Other script-based worms, such as Jenxcus, would replace the target-benign documents on a removable drive with malicious shortcuts to ensure the execution of their malicious hidden scripts.
This particular infector seen in these attacks, however, goes after Office documents, specifically .doc, .docx and .rtf files. The infector checks for the presence of removable, CD-ROM or Network drives attached to the endpoint to find either of the file extensions. Any files found are weaponized using an embedded RTF file to exploit CVE-2017-11882. The documents are basically reconstructed as a malicious RTF to consist of:
- A weaponized RTF exploiting CVE-2017-11882 to execute the Stage 1 PowerShell script.
- The benign copy of the target document (converted to RTF format).
- The malicious PS1 script (Stage 1) embedded in the final RTF’s overlay after a specified marker.
DOCX infector code.
This is an interesting method of proliferation to ensure the spread of the infection within restricted networks. Infecting benign documents in an enterprise carries two advantages:
- Infecting existing files, especially documents, takes away the need to social engineer more victims into executing external infection vectors such as suspicious attachments or clicking on untrusted links to infect themselves.
- Infected files also carry with them the inherent trust of the original authors of the benign content, thus increasing the likelihood of victims infecting themselves.
Browser credential stealer
The stealer tried to gather the login data for the following browsers:
Brave, Google Chrome, Opera, Opera GX, Microsoft Edge, YandexBrowser and Mozilla Firefox.
DcRAT is a relatively new commodity RAT family observed in the wild in 2019. In the current campaigns, we’ve discovered multiple DcRAT payloads hosted on attacker-controlled websites. These payloads were then delivered to their victims during the infection phase of the campaign.
The DcRAT payloads have minimal changes to their configuration, with only the C2 server configuration modified.
DcRAT contains a variety of functionalities including remote shells, process management, file management and keylogging.
DcRAT features are listed by the malware author.
Another highly prolific RAT family used by the threat actor is QuasarRAT. Quasar provides a plethora of functionalities, including the standard features such as remote shell, file management, arbitrary command execution and credential stealing.
We’ve also discovered versions of AndroRAT, another commodity Android RAT utilized by the attackers sharing the same C2 servers.
The author’s AndroSpy description.
Observations and analysis
Domains and themes
The domains registered by the actor include several different themes. One of the domains called jayshreeram[.]cf was a reference to a religious Hindu slogan. This domain was then used to host DdcRAT.
In other instances, the attackers registered and employed domains posing as those of Afghan entities such as af-gov[.]ml and afghancdn[.]world.
Some of the decoy images downloaded and displayed also use Afghan themes, such as one posing as the White House’s official press release on the June 2021 visit from Afghanistan’s vice president and the chairman of the HCNR, the Afghan council established to negotiate with the Taliban.
A decoy image bearing an Afghan theme.
The attacker also used an image hosted on a Pakistani news channel — samaa[.]tv — as a decoy depicting. The decoy image depicted the Wesh-Chaman border crossing between Pakistan and Afghanistan.
Interestingly, this news channel’s website has previously been reported to have been breached and defaced twice in 2014 by allegedly Pakistani hackers.
The picture above is also used as an icon for multiple RAT downloaders contacting jayshreeram[.]cf to download malicious payloads.
In early 2021, this actor used a list of Afghan refugee high schools in Quetta, Pakistan to serve the malicious file enumerator and infector implant to targets.
One of the lures used in the campaign contains a list of high schools in a Pakistani town.
We assess with moderate confidence that an actor operating under the moniker “A.R. Bunse” facilitated or actively carried out this malicious campaign. The actor appears to be masquerading as the owner of a fake Pakistan-based IT firm, Bunse Technologies, a company the adversary uses to issue SSL certificates to their his malicious websites.
A Bunse Technologies-issued SSL certificate for one of the actor-controlled domains, afghancdn[.]world.
What is Bunse Technologies?
Bunse Technologies (BunseTech) is a software development and marketing agency based out of Lahore, Pakistan. Their domain bunsetechnologies[.]com was first registered in April 2020.
This organization has a social media presence on Facebook and Twitter.
Bunse Technologies on Twitter.
BunseTech on Facebook.
This company appears to be a spurious entity set up to facilitate the actor’s malicious activities. Its website, bunsetechnologies[.]com, does not resolve currently. It has a small social media presence, with only one follower on Twitter and less than 60 followers on Facebook.
The owner and operator
The Facebook page for BunseTech claims the CEO of the company is an individual named “A.R. Bunse,” an experienced cybersecurity analyst and project manager. We shall refer to this individual as “A.R.”
A.R. also has a presence on social media, specifically Twitter, where they post pro-Pakistani content. This content dates back to 2016 with nationalist themes throughout the actor’s timeline, from pro-Taliban content to anti-Indian sentiments.
A.R. on Twitter.
A.R. is active with other projects, as well. Starting in August 2021, they offered training classes online for individuals interested in different topics that consisted of (among others): marketing, social media, web and video game development, along with malware development and hacktivist courses.
The GitHub Repositories
We discovered a GitHub account hosting a couple of suspicious repositories. This account was again owned and maintained by the individual “A.R.”
Github account of the campaign author A.R.
What’s interesting here is that the individual maintained two specific repositories of interest:
- DcRat: A repo containing the source code of the leaked commodity RAT.
- drive-cdn: Drive-cdn is a repo that contains a single malicious ZIP file called “File.zip.”
GitHub repo containing the malicious archive.
This ZIP file contains an obfuscated copy of DcRAT connecting to afghancdn[.]world to download and display an Afghanistan-related decoy image to the infected victim.
RAT embedded (on June 26, 20212021-06-26) in the ZIP archive hosted on A.R.’s GitHub.
Based on these findings, we believe with moderate confidence that the A.R. actor helped facilitate or actively spread the maldocscarried out the maldoc campaigns.
- The decoy image is a press release dated June, 20 2021, the same date as the White House’s official statement.
- The press release is a statement on the Afghan dignitaries' visit to the White Hhouse on June 25, 2021.
- The GitHub repo “drive-cdn” and the DcRAT sample(s) were built on June 26, 2021, one day after the diplomatic meetings were held.
- The malicious domain afghancdn[.]world was registered on June 15, 2021, likely in preparation for this particular attack on Afghan entities.
These findings indicate that this is an actor operating malware campaigns under the guise of a software development firm. These attacks aim to deploy a variety of commodity RATs against their victims. Based on the lures and decoys, these victims are almost certainly Indian and Afghan government and diplomatic entities.
Downloaders and loaders
Talos has also discovered the use of multiple C#-based downloaders to proliferate the RAT families. The typical execution chain involved downloading and displaying a decoy image while activating the malicious RAT on the victim’s system.
There were four major types of downloaders observed in this campaign, which we’ll outline below.
Downloaders using PowerShell
These downloaders are C#-based and usually obfuscated. They consist of an encrypted PowerShell command executed to download the next-stage payload executable.
Downloader containing the encrypted PowerShell command.
The decrypted PowerShell command performs some rudimentary anti-virtual machine checks, downloads and opens a decoy image and the actual payload to the endpoint:
Malicious PowerShell command executed by the downloader.
Simple C#-based downloaders
These downloaders are straightforward in their implementation (C#-based) where, again, they download and open a decoy image and the actual malware payload. The difference here, however, is that the malware payload downloaded is double base64-encoded.
We’ve observed these downloaders deploying obfuscated copies of QuasarRAT to endpoints.
C#-based downloader downloading a double base64-encoded malware payload.
The source code compilers
During the reconnaissance phase, the attackers used loaders consisting of hardcoded source code that was compiled on the fly and invoked by the loader process. The hardcoded source code was that of the custom file enumerator and infectors.
The attackers utilized similar downloaders during their attack phase. These downloaders would, however, download the malicious source code from a remote location, compile it and execute in the downloader process’ memory.
Source code downloaded and compiled on the fly.
The malicious source code is meant to base64 decode an embedded executable, drop it to disk, establish persistence for it and, finally, run it on the infected endpoint.
The binaries seen embedded in the source code were obfuscated copies of QuasarRAT.
Malicious source code downloaded from a remote location.
In some cases, we also observed the use of obfuscated loaders containing embedded RAT executables such as DcRAT. The loader would simply perform anti-analysis checks and drop the RAT to disk, set up persistence and execute it.
In other cases, the actors used C-based loaders to load and invoke the compiled C# file enumerator module in memory.
File enumerator and infector strings in loader process’ memory.
This threat actor, A.R., uses a front company to procure infrastructure for operationalizing their crimeware campaign. This campaign uses a variety of political and government-related themes in their icons and decoys. The infection chains utilized by the actor are simple and consist of delivering commodity RATs such as dcRAT, Quasar and AndroRAT to their victims. Their use of custom downloaders for delivery, file enumerators for reconnaissance, and infectors to weaponize benign documents indicates attempts at aggressive proliferation. These tools also indicate that the threat actor is actively pursuing creating bespoke tools to shift away from commodity malware.
Commodity malware is extremely popular with malware operators these days. It allows the attackers to focus on operational aspects of their campaigns without having to put in effort into development of novel malware families. Coupled with small customized file infectors, generating straightforward infection chains enables an attacker to automate their proliferation efforts. Organizations should remain vigilant against such threats that are highly motivated to proliferate using automated mechanisms.
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Snort SIDs detecting this threat are: 58356-58361.
Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click below:
The hash list is available here.
The network IOCs list is available here.