In my previous blog posts I described attack campaigns targeting Indian government organizations, and Indian Embassies and Ministry of External affairs. In this blog post I describe a new attack campaign where cyber espionage group targeted the users of Mazagon Dock Shipbuilders Limited (also called as ship builder to the nation). Mazagon Dock Shipbuilders Limited (MDL) is a Public Sector Undertaking of Government of India (Ministry of Defence) and it specializes in manufacturing warships and submarines for the Indian Navy.
In order to infect the users associated with Mazagon Dock Shipbuilders Limited (MDL), the attackers distributed spear-phishing emails containing malicious excel file which when opened drops a malware capable of spying on infected systems. The email purported to have been sent from legitimate email ids. The attackers spoofed the email id associated with a Spain based equipment manufacturing company Hidrofersa which specializes in designing, manufacturing naval, industrial and mining machinery.
Overview of the Malicious Emails
On 26th January, 2017 Indian Navy displayed its state-of-the-art stealth guided missile destroyer INS Chennai and the indigenously-made Kalvari class Scorpene submarines at the Republic Day parade showcasing India’s military strength and achievements. INS Chennai and Kalvari class submarines were manufactured by Mazagon Dock Shipbuilders Limited (MDL).
On 25th January (day before the Republic day) attackers spoofed an email id associated with Hidrofersa a Spain based company which specializes in designing, manufacturing naval, industrial and mining machinery and the email was sent to the users of Mazagon Dock Shipbuilders Limited (MDL). The email attachment contained two malicious excel files (both excel files turned out to be same but used different names). The email was made to look like it was sent by a General service manager of Hidrofersa enquiring about the product delivery schedule.
Below screen shot shows the recipients associated with Mazagon Dock Shipbuilders Limited (MDL), this information was determined from the Email header.
Mazagon Dock Shipbuilders Limited (MDL) is listed as one of clients of Hidrofersa (mentioned in Hidrofersa website) and as per their website Hidrofersa has shipped equipments to Mazagon Dock Shipbuilders Limited (MDL) in the past as shown in the below screen shots. This is probably the reason attackers spoofed the email id of Hidrofersa as it is less likely to trigger any suspicion and there is high chance of recipients opening the attachment as it is coming from a trusted equipment manufacturer (Hidrofersa) . It looks like attackers carefully researched (or they already knew about) the trust relationship between these two companies.
From the email it looks like the goal of the attackers was to infect, take control of the systems of users associated with Mazagon Dock Shipbuilders Limited (MDL) and to steal sensitive information (like Product design documents, blueprints, manufacturing processes etc) related to warships and submarines.
Analysis of Malicious Excel File
When the recipient of the email opens the attached excel file it prompts the user to enable macro content and the excel also contains instruction on how to enable the macros.
Once the the macro content is enabled, it calls an auto execute function Workbook_Open() which in turn downloads the malware sample and executes on the system. The malicious macro code was reverse engineered to understand its capabilities. The macro code was heavily obfuscated (used obscure variable/function names to make analysis harder) as shown below.
The macro also contained lot of junk code, unnecessary comments and variable assignments as shown below. The attackers used this technique to delay, divert and confuse the manual analysis.
The macro then decodes a string which runs PowerShell script to download malware from a popular university site located in Indonesia as shown below. The attackers probably compromised the university website to host the malware. The technique of hosting malicious code in a university site (legitimate site) has advantages and it is unlikely to trigger any suspicion in security monitoring and also can bypass reputation based devices.
The PowerShell script (shown below) drops the downloaded executable in the %TEMP% directory as “doc6.exe“. It then adds a registry entry for the dropped executable and invokes eventvwr.exe, this is an interesting registry hijack technique which allows the doc6.exe to be executed by eventvwr.exe with high integrity level and also this technique silently bypasses the UAC (user account control). This technique of UAC bypass is mentioned in the blog “Fileless” UAC Bypass Using eventvwr.exe and Registry Hijacking
Normally when eventvwr.exe process (which is running as high integrity process) is invoked, it starts mmc.exe which opens eventvwr.msc causing the Event Viewer to be displayed. To start mmc.exe, eventvwr.exe searches this registry key “HKCU\Software\Classes\mscfile\shell\open\command” looking for mmc.exe before looking at HKCR\mscfile\shell\open\command.
In this case since this registry “HKCU\Software\Classes\mscfile\shell\open\command” was hijacked to contain the entry for “doc6.exe” , this will cause the eventvwr.exe process to invoke doc6.exe with high integrity level.
Below screen shot shows doc6.exe running from the %TEMP% directory
The dropped file (doc6.exe) was determined as KeyBase malware. This malware can steal and send sensitive information to the attackers like keystrokes, opened applications, web browsing history, usernames/passwords, upload Desktop screen shots etc. The feature of uploading the Desktop screen shot is notable because if the infected user opens a design or design document related to submarines or warships the screen shot of that can be sent to the attacker.
The attackers also hosted multiple samples of KeyBase malware in the compromised university website. Below screen shot shows hashes of 25 samples hosted on the university site.
Analysis of the Dropped Executable (doc6.exe)
The dropped file was analyzed in an isolated environment (without actually allowing it to connect to the c2 server). This section contains the behavioral analysis of the dropped executable
Once the dropped file (doc6.exe) is executed the malware copies itself into %AllUsersProfile% directory as “Important.exe”, In addition to that it also drops two files “Mails.txt” and “Browsers.txt” into the same directory as shown below.
The malware then creates a registry value for the the dropped file (Important.exe), this ensures that malware is executed every time the system restarts.
The malware after execution keeps track of the user activity (like applications opened, files opened etc) but does not immediately generate any network traffic, this is to make sure that no network activity is generated during automated/sandbox analysis. After sleeping for a long time malware makes an http connection to the C2 server (command & control server) and sends the tracked user activity to the attacker. The below screen shot shows the communication to the C2 server on port 80.
C2 Communication Pattern
Once malware makes an http connection after sleeping for a long time, it sends the system information and the tracked activity to the C2 server as http parameters. Below screen shot shows the network communication pattern where the hostname and the machine time is sent to C2 server.
Below screen shot shows a network communication pattern where the opened window title was sent to the C2 server, this pattern below indicates that “test.txt” file was opened with notepad on the infected system.
Below screen shot shows a network communication pattern indicating a document named “secret.docx” was opened with Microsoft Word.
Below screen shot shows a network communication pattern indicating Internet Explorer was launched on the infected system.
Every activity on the infected system is sent to the attacker, this allows the attacker to take further action and also since the open window title is sent to attacker, this lets the attacker know about the documents opened and the tools running on the system or if any analysis tools are used to inspect the malware.
C2 Domain Information
This section contains the details of the C2 domain (tripleshop[.]id). All the 25 samples hosted on compromised university site was analyzed and it was determined that all these samples also communicated to the C2 domain tripleshop[.]id
The C2 domain was associated with only one IP address . This IP address is associated with hosting provider in Indonesia as shown in the screen shots below
Below screen shot shows the timeline when the IP address was active. The IP was first seen to be active on 18th Jan, 2017 (one week before the spear-phishing mail was sent to the victims).
Even though attackers tried to make it look like the spear phishing email was sent by an email id associated with Hidrofersa but inspecting the email headers revealed some interesting information.
The X-AuthUser in the header below revealed the identity of the sender. The sender is associated with a company named “Combined Freight (PVT) Limited” (combinedfreight[.]com)
Combined Freight (PVT) Limited is freight forwarding company which is into ocean & air freight business headquartered in Karachi, Pakistan (as per their website). This company has 4 other offices in Pakistan (Lahore, Islamabad, Sialkot, Faisalabad). Below is the screen shot taken from their website.
Based on the information mentioned above, It looks like the spoofed email was sent by a user associated with a Pakistan based company Combined Freight (PVT) Limited.
Indicators Of Compromise
In this case the cyber espionage group targeted Mazagon Dock Shipbuilders Limited (MDL) but it is possible that other defense equipment manufacturers could also be targeted as part of this attack campaign. The indicators associated with this attack are provided so that the organizations (Government, Public, Private organizations, Defense and Defense equipment manufacturers) can use these indicators to detect, remediate and investigate this attack campaign. Below are the indicators
Dropped Malware Sample:
Samples hosted on the compromised University site:
Network Indicators Associated with C2:
C2 Communication Patterns:
Attackers in this case made every attempt to launch a clever attack campaign by spoofing legitimate email ids and using an email theme relevant to the targets. The following factors in this cyber attack suggests the possible involvement of Pakistan state sponsored cyber espionage group to steal the intellectual property such as design/blueprints and manufacturing data related to submarines and warships.
- Victims/targets chosen (Submarine & Warship manufacturer for Indian Navy)
- Use of Email theme related to the targets
- Timing of the spear phishing emails sent to the victims (The day before the Republic Day)
- Email header information indicating the possible Pakistan connection
- Use of malware that is capable of spying and uploading screen shots
- Use of TTP’s (tactics, techniques & procedures) similar to the previous campaign
The following factors reveal the attackers intention to remain stealthy and the attempt to evade sandbox analysis, manual analysis and security monitoring at both the desktop and network levels.
- Use of obfuscated malicious macro code
- Use of junk code (to divert the manual analysis)
- Use of compromised university site to host malicious code (to bypass security monitoring)
- Use of Silent UAC (user account control) bypass technique
- Use of Malware that sleeps for long time without generating any network activity (to evade sandbox analysis)
- Use of hosting provider to host C2 infrastructure
Cyber espionage groups will continue targeting defense sectors and defense equipment manufacturers for the following reasons:
- To steal defense related information and proprietary product information that can provide their sponsoring governments with military and economic advantages.
- To identify vulnerabilities in the defense technologies to gain advantage over adversary’s military capabilities
- To reduce their research and development costs and produce and sell similar products at lower prices