{
	"id": "a9fde68e-7181-4ce2-a03b-1c71432d0dcf",
	"created_at": "2026-04-06T00:11:35.622648Z",
	"updated_at": "2026-04-10T03:21:31.327914Z",
	"deleted_at": null,
	"sha1_hash": "09b408a653c1f8e59ec13070aeeeb0b654663a01",
	"title": "Cyber Attack Impersonating Identity of Indian Think Tank to Target Central Bureau of Investigation (CBI) and Possibly Indian Army Officials",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 208695,
	"plain_text": "Cyber Attack Impersonating Identity of Indian Think Tank to\r\nTarget Central Bureau of Investigation (CBI) and Possibly Indian\r\nArmy Officials\r\nBy Monnappa K A\r\nPublished: 2017-05-11 · Archived: 2026-04-05 23:42:03 UTC\r\nIn my previous blog posts I posted details of cyber attacks targeting Indian Ministry of External Affairs and Indian\r\nNavy’s Warship and Submarine Manufacturer. This blog post describes another attack campaign where attackers\r\nimpersonated identity of Indian think tank IDSA (Institute for Defence Studies and Analyses) and sent out spear-phishing emails to target officials of the Central Bureau of Investigation (CBI) and possibly the officials of\r\nIndian Army.\r\nIDSA (Institute for Defence Studies and Analyses) is an Indian think tank for advanced research in international\r\nrelations, especially strategic and security issues, and also trains civilian and military officers of the Government\r\nof India and deals with objective research and policy relating to all aspects of defense and National security.\r\nThe Central Bureau of Investigation (CBI) is the domestic intelligence and security service of India and serves as\r\nthe India’s premier investigative and Interpol agency operating under the jurisdiction of the Government of India.\r\nIn order to infect the victims, the attackers distributed spear-phishing emails containing malicious excel file which\r\nwhen opened dropped a malware capable of downloading additional components and spying on infected systems.\r\nTo distribute the malicious excel file, the attackers registered a domain which impersonated the identity of most\r\ninfluential Indian think tank IDSA (Institute for Defence Studies and Analyses) and used the email id from the\r\nimpersonating domain to send out the spear-phishing emails to the victims.\r\nOverview of the Malicious Emails\r\nIn the first wave of attack, The attackers sent out spear-phishing emails containing malicious excel file (Case\r\nDetail of Suspected abuser.xls) to an unit of Central Bureau of Investigation (CBI) on February 21st, 2017 and the\r\nemail was sent from an email id associated with an impersonating domain idsadesk[.]in. To lure the victims to\r\nopen the malicious attachment the email subject relevant to the victims were chosen and to avoid suspicion the\r\nemail was made to look like it was sent by a person associated with IDSA asking to take action against a pending\r\ncase as shown in the screen shot below.\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 1 of 35\n\nIn the second wave of attack, a spear-phishing email containing a different malicious excel file (Contact List of\r\nattendees.xls) was sent to an email id on the same day February 21st, 2017. The email was made to look like a\r\nperson associated with IDSA is asking to confirm the phone number of an attendee in the attendee list.  When the\r\nvictim opens the attached excel file it drops the malware and displays a decoy excel sheet containing the list of\r\nnames, which seems be the names of senior army officers. Even though the identity of the recipient email could\r\nnot be fully verified as this email id is nowhere available on the internet but based on the format of the recipient\r\nemail id and from the list of attendees that is displayed to the victim in the decoy excel file, the recipient email\r\ncould be possibly be associated with either the Indian Army or a Government entity. This suggests that attackers\r\nhad prior knowledge of the recipient email id through other means.\r\nIn both the cases when the victims opens the attached malicious excel file the same malware sample was dropped\r\nand executed on the victim’s system. From the emails (and the attachments) it looks like the goal of the attackers\r\nwas to infect and take control of the systems and to spy on the victims.\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 2 of 35\n\nAnti-Analysis Techniques in the Malicious Excel File\r\nWhen the victim opens the attached excel file it prompts the user to enable macro content as shown in the below\r\nscreen shot.\r\nTo prevent viewing of the macro code and to make manual analysis harder attackers password protected the macro\r\ncontent as show below.\r\nEven though the macro is password protected, It is possible to extract macro code using analysis tools like\r\noletools. In this case oletools was used to extract the macro content but it turns out that the oletools was able to\r\nextract only partial macro content but it failed to extract the malicious content present inside a Textbox within the\r\nUserform. Below screen shot shows the macro content extracted by the oletools.\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 3 of 35\n\nThis extracted macro content was copied to new excel workbook and the environment was setup to debug the\r\nmacro code. Debugging the macro code failed because the macro code accesses the textbox content within the\r\nUserForm (which oletools failed to extract). The technique of storing the malicious content inside the TextBox\r\nwithin the UserForm allowed the attackers to bypass analysis tools. Below screen shot shows the macro code\r\naccessing the content from the TextBox and the error triggered by the code due to the absence of the TextBox\r\ncontent.\r\nTo bypass the anti-analysis technique and to extract the content stored in the TextBox within the UserForm the\r\npassword protection was bypassed which allowed to extract the content stored within the UserForm. Below screen\r\nshot shows the TextBox content stored within the UserForm.\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 4 of 35\n\nAt this point all the components (macro code and the UserForm content) required for analysis was extracted and\r\nan environment similar to the original excel file was created to debug the malicious macro. Below screen shots\r\nshow the new excel file containing extracted macro code and the UserForm content.\r\nAnalysis of Malicious Excel File\r\nWhen the victim opens the excel file and enables the macro content, The malicious macro code within the excel\r\nfile is executed. The macro code first generates a random filename as shown in the below screen shot.\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 5 of 35\n\nIt then reads the executable content stored in the TextBox within the UserForm and then writes the executable\r\ncontent to the randomly generate filename in the %AppData% directory. The executable is written in .NET\r\nframework\r\nThe content stored in the TexBox within the UserForm is an executable content in the decimal format. Below\r\nscreen shot shows converted data from decimal to text. In this case the attackers used the TextBox within the\r\nUserForm to store the malicious executable content.\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 6 of 35\n\nThe dropped file in the %AppData% directory is then executed as shown in the below screen shot.\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 7 of 35\n\nOnce the dropped file is executed it copies itself into %AppData%\\SQLite directory as SQLite.exe and executes as\r\nshown below.\r\nAs a result of executing SQLite.exe it makes a HTTP connection to the C2 server (qhavcloud[.]com). The C2\r\ncommunication shown below contains a hard coded user-agent and the double slash (//) in the GET request this\r\ncan be used to create network based signatures.\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 8 of 35\n\nReverse Engineering the Dropped File (SQLite.exe)\r\nThe dynamic/sandbox analysis did not reveal much about the functionality of the malware, in order to understand\r\nthe capabilities of the malware, the sample had be reverse engineered. The malware sample was reverse\r\nengineered in an isolated environment (without actually allowing it to connect to the c2 server).This section\r\ncontains reverse engineering details of this malware and its various features.\r\na) Malware Validates C2 Connection\r\nMalware checks if the executable is running as SQLite.exe from %AppData%\\SQLite directory, if not it copies\r\nitself as SQLite.exe to %AppData%\\SQLite directory as shown below.\r\nIt then launches the executable (SQLite.exe) with the command line arguments as shown in the below screen\r\nshots.\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 9 of 35\n\nMalware performs multiple checks to make sure that it is connecting to the correct C2 server before doing\r\nanything malicious. first its pings the C2 domain qhavcloud[.]com. Below screen shots show the ping to the C2\r\nserver.\r\nIf the ping succeeds then it determines if C2 server is alive by sending an HTTP request, it then reads the content\r\nfrom the C2 server and looks for a specific string “Connection!”. If it does not find the string “Connection!” it\r\nassumes that C2 is not alive or it is connecting to the wrong C2 server. This technique allows the attackers to\r\nvalidate if they are connecting to the correct C2 server and also this technique does not reveal any malicious\r\nbehavior in dynamic/sandbox analysis until the correct response is given to the malware. Below screen shots show\r\nthe code that is performing the C2 connection and the validation.\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 10 of 35\n\nIf the ping does not succeed or if the C2 response does not contain the string “Connection!” then the malware gets\r\nthe list of backup C2 servers to connect by downloading a text file from the Google drive link. This technique of\r\nstoring a text file containing the list of backup C2 servers on the legitimate site has advantages and it is highly\r\nunlikely to trigger any suspicion in security monitoring and also can bypass reputation based devices. Below\r\nscreen shots show the code that downloads the text file and text file (info.txt) saved on the disk.\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 11 of 35\n\nDuring the time of analysis the text file downloaded from the Google drive link was populated with two private IP\r\naddresses, it looks like the attackers deliberately populated the IP addresses with two private IP addresses to\r\nprevent the researchers from determining actual IP/domain names of the backup C2 servers. Below screen shot\r\nshows the IP addresses in the text file.\r\nOnce the text file is downloaded the malware reads each and every IP address from the text file and performs the\r\nsame C2 validation check (ping and checks for the string “Connection!” from the C2 response). Below screen\r\nshot shows the HTTP connection made to those IP addresses.\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 12 of 35\n\nb) Malware Sends System Information\r\nBased on the analysis it was determined that the malware looks for a string “Connection!” in the C2 response, so\r\nthe analysis environment was configured to respond with a string “Connection!” whenever the malware made a\r\nC2 connection. Below screen shot shows the C2 communication made by the malware and the expected response.\r\nOnce the malware validates the C2 connection then the malware creates an XML file (SQLite.xml) inside which it\r\nstores the user name and the password to communicate with the C2 server.\r\nMalware generates the user name to communicate with the C2 by concatenating a) the machine name, b) a\r\nrandom number between 1000 to 9999 and c) the product version of the file. Below screen shot shows the code\r\nthat generates the user name\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 13 of 35\n\nMalware generates the password to communicate with the C2 by building an array of 16 random bytes, these\r\nrandom bytes are then encoded using base64 encoding algorithm and malware then replaces the characters “+”\r\nand “/” with “-“ and  “_” respectively from the encoded data. The attackers use the technique of replacing the\r\nstandard characters with custom characters to makes it difficult to decode the string (containing the characters\r\n“+” and “/”) using standard base64 algorithm. Below screen shot shows the code that generates the password.\r\nOnce the user name and password is generated, malware then creates an XML file (SQLITE.xml) and populates\r\nthe XML file with the generated user name and password. Below screen shot shows the code that creates the XML\r\nfile\r\nBelow screen shot shows the XML file populated with the user name and the password which is used by the\r\nmalware to communicate with the C2 server.\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 14 of 35\n\nThe malware then collects system information like the computer name, operating system caption, IP address of\r\nthe infected system, product version of the executable file and sends it to the C2 server along with the generated\r\nuser name and password using a POST request to postdata.php. Below screen shots show the code that collects\r\nthe system information and the data that is sent to the attacker.\r\nc) Malware Sends Process Information\r\nMalware then enumerates the list of all the processes running on the system and sends it to the C2 server along\r\nwith the user name and password using a POST request to JobProcesses.php as shown in the below screen shots.\r\nThis allows the attackers to know which programs are running on the system or if any analysis tools are used to\r\ninspect the malware.\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 15 of 35\n\nMalware Functionalities\r\nApart from sending the system information and process information to the C2 server, the malware also has the\r\ncapability to perform various other tasks by taking command from the C2. This section focuses on different\r\nfunctionalities of the malware\r\na) Download \u0026 Execute Functionality 1\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 16 of 35\n\nMalware triggers the download functionality by connecting to the C2 server and making a request to either\r\nJobwork1.php or Jobwork2.php, if the C2 response satisfies the condition then it downloads \u0026 executes the file.\r\nAfter understanding the logic (logic is mentioned below) \u0026 to satisfy the condition the environment was\r\nconfigured to give proper response whenever the malware made a request to Jobwork1.php or Jobwork2.php.\r\nBelow screen shot shows the response given to the malware.\r\nMalware then reads the response successfully as shown in the below screen shot.\r\nfrom the C2 response it extracts two things a) URL to download an executable file and b) the command string that\r\nwill trigger the download functionality\r\nFrom the C2 response the URL is extracted starting from offset 14 (i.e 15th character) and it determines the length\r\nof the string (URL) to extract by finding the start offset of the string “clientpermission” once it finds it, its offset\r\nvalue is subtracted with 17.\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 17 of 35\n\nThe command string to trigger the download functionality is extracted from the C2 response using the logic shown\r\nbelow. Below screen shot shows the logic used to extract the URL and the command strings, in the below screen\r\nshot the extracted command string is stored in the variable ServerTask1Permission.\r\nOnce the URL and command string is extracted, the malware compares the command string with the string\r\n“Pending”, only if the command string matches with string “Pending” the download functionality is triggered.\r\nWhen all the above mentioned conditions are satisfied the malware downloads the executable from the URL\r\nextracted from the C2 response. Below screen shot shows the URL extracted from the C2 response.\r\nNote: In the below screen shot the URL (hxxp://c2xy.com/a.exe) is not the actual URL used by the malware for\r\ndownloading the file, this is a test URL used to determine the functionality, so this URL should not used as an\r\nindicator.\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 18 of 35\n\nBelow screen shot shows the network traffic of malware trying to download the executable file from the extracted\r\nURL.\r\nThe downloaded executable is saved in the %AppData%\\SQLite directory as shown in the below screen shot.\r\nThe downloaded file is then executed by the malware as shown in the below screen shot.\r\nOnce the downloaded file is executed the malware reports that the download \u0026 execute was successful by making\r\na POST request to JobDone.php as shown in the below screen shots\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 19 of 35\n\nThis functionality allows the attacker to change their hosting site (from where the malware will be downloaded),\r\nthis can be achieved by changing the C2 response containing different URL.\r\nb) Download \u0026 Execute Functionality 2\r\nMalware also supports second type of download functionality,instead of extracting the URL from the C2 response\r\nand downloading the executable, it gets executable content from the networks stream from a hard coded IP\r\naddress and then writes it to the disk and executes it.\r\nThis functionality is triggered by making a request to either JobTcp1.php or JobTcp2.php,  if the C2 response\r\nsatisfies the condition then it gets the executable content from a hard coded IP address. After understanding the\r\nlogic \u0026 to satisfy the condition the environment was configured to give proper response when the malware made a\r\nrequest to JobTcp1.php or JobTcp2.php. Below screen shot shows the response given to the malware.\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 20 of 35\n\nMalware then reads the c2 response and from the C2 response it extracts two things a) filename and b) the\r\ncommand string that will trigger the download functionality.\r\nFrom the C2 response the filename is extracted starting from offset 14 (i.e 15th character) and it determines the\r\nlength of the string to extract by finding the start offset of the string “clientpermission” once it finds it, its offset\r\nvalue is subtracted with 17. The command string to trigger the download functionality is extracted from the C2\r\nresponse using the logic shown below. Below screen shot shows the logic used to extract the filename and the\r\ncommand string, in the below screen shot the extracted command string is stored in the variable\r\nServerTask1Permission.\r\nOnce the filename and command string is extracted, the malware compares the command string with the string\r\n“Pending”, if the command string matches with string “Pending” then the extracted filename (in this case the\r\nextracted filename is “testfile”) from the C2 response is concatenated with “.exe” as shown below.\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 21 of 35\n\nIt then connects to the hard coded IP 91[.]205[.]173[.]3 on port 6134, and it sends the concatenated filename\r\n(testfile.exe) as shown below.\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 22 of 35\n\nThe IP address after verifying the filename then returns the executable content which malware reads directly from\r\nthe network stream and writes to the disk in the %Appdata%\\SQLIte directory as shown below.\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 23 of 35\n\nThe dropped file is then executed as shown in the below screen shot.\r\nc) Update Functionality\r\nMalware has the capability to update itself this is done by making a request to updateproductdownload.php, if C2\r\nresponse satisfies the condition then it downloads the updated executable from an URL. After understanding the\r\nlogic \u0026 to satisfy the condition the environment was configured to give proper response. Below screen shot shows\r\nthe response given to the malware when it makes a request to updateproductdownload.php\r\nMalware then reads the c2 response and from the C2 response it extracts two things a) URL to download the\r\nupdated executable and b) the command string that will trigger the update functionality\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 24 of 35\n\nFrom the C2 response the URL is extracted by finding the start offset of the string “updatetpermission” once it\r\nfinds it, its offset value is subtracted with 17 to get the URL from where the updated executable will be\r\ndownloaded. To get the command string  malware extracts the string starting from the offset of the string\r\n“updatetpermission” + 19 and extracts a 7 character length string which it uses as the command string.\r\nBelow screen shot shows the logic used to extract the URL and the command string, in the below screen shot the\r\nextracted command string is stored in the variable ServerUpdatePermissionInstruction.\r\nOnce the URL and command string is extracted, the malware compares the command string with the string\r\n“Pending”, only if the command string matches with string “Pending” then the malware downloads the updated\r\nexecutable from the extracted URL. Below screen shot shows the code which performs the check and and\r\nextracted URL\r\nNote: In the below screen shot the URL (hxxp://c2xyup.com/update.exe) is not the actual URL used by the\r\nmalware for updating, this is a test URL used to determine the functionality, so this URL should not used as an\r\nindicator.\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 25 of 35\n\nThe malware then downloads the updated executable and drops it in the %Appdata%\\SQLite directory as shown in\r\nthe below screen shots.\r\nOnce it downloads the updated executable then the malware creates a value in the Run registry key for persistence,\r\nbefore that it deletes the old entry and adds the new entry so that next time when the system starts the updated\r\nexecutable will run. Below screen shots show the registry entry added by the malware.\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 26 of 35\n\nThe functionality allows the attacker to update their malware components.\r\nd) Delete/Uninstall Functionality\r\nMalware also has the capability to delete itself this is done by making a request to Uninstaller.php. Below screen\r\nshot shows the code that makes this request.\r\nThe environment was configured to give a proper response to trigger the uninstall/delete functionality. Below\r\nscreen shot shows the network traffic making the POST request to Uninstaller.php and the returned response.\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 27 of 35\n\nMalware then checks if the C2 response contains the string “delete”. Below screen shots show the code that reads\r\nthe C2 response and the code that performs the check.\r\nIf the C2 response contains the string “delete”, then the malware first deletes the entry from the Run registry that\r\nthe malware uses for persistence as shown below.\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 28 of 35\n\nAfter deleting the registry entry, malware deletes all the files from the %Appdata%\\SQLite directory by creating a\r\nbatch script. The batch script pings a hard coded IP address 180[.]92[.]154[.]176 10 times (this is a technique\r\nused to sleep for 10 seconds) before deleting all the files.\r\nOnce the all the files are deleted the malware kills its own process as shown in the below screen shot.\r\nThis functionality allows the attackers to delete their footprints on the system.\r\nC2 Information\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 29 of 35\n\nThis section contains the details of the C2 domain qhavcloud[.]com. This C2 domain was associated with two IP\r\naddresses. Both of these IP addresses is associated with hosting provider in Germany as shown in the screen shots\r\nbelow.\r\nThe hard coded IP address 91[.]205[.]173[.]3 in the binary from where the malware downloads additional\r\ncomponents is also associated with the same hosting provider in Germany as shown below.\r\nThe C2 domain qhavcloud[.]com was also found to be associated with multiple malware samples in the past.\r\nBelow screen shot shows the md5 hashes of the samples that is associated with the C2 domain.\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 30 of 35\n\nThe C2 domain qhavcloud[.]com and the hard coded IP address 91[.]205[.]173[.]3 were also found to be\r\nassociated with another attack campaign which targeted the senior army officers. This suggests that the same\r\nespionage group involved in this attack also targeted the senior army officers using a different email theme.\r\nThreat Intelligence\r\nInvestigating the domain idsadesk[.]in (which was used to send the email by impersonating the identity of IDSA)\r\nshows that it was created on 20th Feb 2017 (which is the day before the spear-phishing email was sent to the\r\nvictims). Most of the registrant information seems to be fake and another notable detail that is of interest is the\r\nregistrant country and country code (+92) of registrant phone number is associated with Pakistan.\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 31 of 35\n\nFurther investigation shows that the same registrant email id was also used to register another similar domain\r\n(idsagroup[.]in) which also impersonates the identity of IDSA. This impersonating domain was also registered on\r\nthe same day 20th February 2017 and this domain could also be used by the attackers to send out spear-phishing\r\nemails to different targets.\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 32 of 35\n\nWhile investigating the malware’s uninstall/delete functionality it was determined that malware creates a batch\r\nscript to delete all its files but before deleting all the files it pings 10 times to an hard coded IP address\r\n180[.]92[.]154[.]176 as shown below.\r\nInvestigating this hard coded IP address shows that it is located in Pakistan. The Pakistan connection in the whois\r\ninformation and the hard coded IP address is interesting because the previous two attacks against Indian Ministry\r\nof External Affairs and Indian Navy’s submarine manufacturer also had a Pakistan connection. Based on just the\r\nwhois information (which can be faked) and the location of the IP address it is hard to say if the Pakistan\r\nespionage group is involved in this attack, but based on the email theme, tactics used to impersonate Indian think\r\ntank (IDSA) and the targets chosen that possibility is highly likely. Below screen shot shows the location of the\r\nhard coded IP address.\r\nIndicators Of Compromise (IOC)\r\nIn this campaign the cyber espionage group targeted Central Bureau of Investigation (CBI) but it is possible that\r\nother government entities could also be targeted as part of this attack campaign. The indicators associated with\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 33 of 35\n\nthis attack are provided so that the organizations (Government, Public, Private organizations and Defense sectors)\r\ncan use these indicators to detect, remediate and investigate this attack campaign. Below are the indicators\r\nDropped Malware Sample:\r\nf8daa49c489f606c87d39a88ab76a1ba\r\nRelated Malware Samples:\r\n15588a9ba1c0abefd38ac2594ee5be53\r\n04b4b036a48dc2d2022cc7704f85a560\r\nbecc8e77ef003a4c88f7e6348ffd3609\r\nceeeacbaf38792bcf06022e2b4874782\r\n515dce0ede42052ff3ef664db9873cea\r\n50c1d394bfa187ffd6251df6dd14e939\r\n3bd16cc1d1fea7190c36b3bd10c6810d\r\nb6c861556412a15b7979459176b7d82f\r\nNetwork Indicators Associated with C2:\r\nqhavcloud[.]com\r\n173[.]212[.]194[.]214\r\n173[.]212[.]193[.]53\r\n91[.]205[.]173[.]3\r\n180[.]92[.]154[.]176\r\nDomains Impersonating the Identity of Indian Think Tank (IDSA):\r\nidsadesk[.]in\r\nidsagroup[.]in\r\nEmail Indicator:\r\niasia69@z7az14m[.]com\r\nC2 Communication Patterns:\r\nhxxp://qhavcloud[.]com//northernlights//PingPong.php\r\nhxxp://qhavcloud[.]com//northernlights//postdata.php\r\nhxxp://qhavcloud[.]com//northernlights//JobProcesses.php\r\nhxxp://qhavcloud[.]com//northernlights//JobWork1.php\r\nhxxp://qhavcloud[.]com//northernlights//JobWork2.php\r\nhxxp://qhavcloud[.]com//northernlights//JobTCP1.php\r\nhxxp://qhavcloud[.]com//northernlights//JobTCP2.php\r\nhxxp://qhavcloud[.]com//northernlights//updateproductdownload.php\r\nhxxp://qhavcloud[.]com//northernlights//Uninstaller.php\r\nConclusion\r\nAttackers in this case made every attempt to launch a clever attack campaign by impersonating the identity of\r\nhighly influential Indian Think tank to target Indian investigative agency and the officials of the Indian army by\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 34 of 35\n\nusing an email theme relevant to the targets. The following factors in this cyber attack suggests the possible\r\ninvolvement of Pakistan state sponsored cyber espionage group to spy or to take control of the systems of the\r\nofficials of Central Bureau of Investigation (CBI) and officials of the Indian Army.\r\nUse of domain impersonating the identity of highly influential Indian think tank\r\nVictims/targets chosen (CBI and Army officials)\r\nUse of Email theme that is of interest to the targets\r\nLocation of one of the hard coded IP address in the binary\r\nUse of TTP’s (tactics, techniques \u0026 procedures) similar to the previous campaigns targeting Indian\r\nMinistry of External Affairs and Indian Navy’s Warship Manufacturer.\r\nUse of the same C2 infrastructure that was used to target senior army officers\r\nThe attackers in this case used multiple techniques to avoid detection and to frustrate analysts. The following\r\nfactors reveal the attackers intention to remain stealthy and to gain long-term access by evading analysis and\r\nsecurity monitoring at both the desktop and network levels.\r\nUse of password protected macro to prevent viewing the code and to make manual analysis harder\r\nUse of TextBox within the UserForm to store malicious content to bypass analysis tools\r\nUse of legitimate service like Google drive to store the list of back up C2 servers to bypass security\r\nmonitoring and reputation based devices.\r\nUse of malware that performs various checks before performing any malicious activity\r\nUse of backup C2 servers and hosting sites to keep the operation up and running\r\nUse of hosting provider to host C2 infrastructure\r\nSource: https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nhttps://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/\r\nPage 35 of 35",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/"
	],
	"report_names": [
		"cyber-attack-targeting-cbi-and-possibly-indian-army-officials"
	],
	"threat_actors": [],
	"ts_created_at": 1775434295,
	"ts_updated_at": 1775791291,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/09b408a653c1f8e59ec13070aeeeb0b654663a01.pdf",
		"text": "https://archive.orkl.eu/09b408a653c1f8e59ec13070aeeeb0b654663a01.txt",
		"img": "https://archive.orkl.eu/09b408a653c1f8e59ec13070aeeeb0b654663a01.jpg"
	}
}