# New Spear Phishing Campaign using Army Welfare Education Society’s Scholarship form **[seqrite.com/blog/new-spear-phishing-campaign-using-army-welfare-education-societys-scholarship-form/](https://www.seqrite.com/blog/new-spear-phishing-campaign-using-army-welfare-education-societys-scholarship-form/)** Chaitanya Haritash March 22, 2021 22 March 2021 Written by [Chaitanya Haritash](https://www.seqrite.com/blog/author/chaitanya/) [Cybersecurity](https://www.seqrite.com/blog/category/cybersecurity/) Estimated reading time: 5 minutes **Introduction:** Researchers at Quick Heal Security Labs have uncovered a potential Spear Phishing campaign targeted against Indian Army personnel. In this attack, the attackers are using “Army Welfare Education Society” Scholarship form as lure. **About AWES:** Army Welfare Education Society (AWES) manages and ensures proper education facilities to children of Indian Army personnel through Local Military Authorities. Established in 1983, the society has its office at Shankar Vihar, Delhi Cantonment and over the years has opened over 137 Army Public Schools and 249 Army Pre-Primary Schools across India. **Details about the recent attack:** **Document Analysis:** “ESSA-Scholarships.docx” ----- _Fig.1 Template_ _Fig.2 ESSA-Scholarships.docx_ [The “ESSA-Scholarships.docx” triggers CVE-2017-0199 vulnerability which later launches the stage of “.dotm” file](https://www.seqrite.com/blog/new-spear-phishing-campaign-using-army-welfare-education-societys-scholarship-form/text=Service%20Pack%202-,Vulnerability%20(CVE-2017-0199),and%20execute%20malware%20on%20it.) from landing page embedded inside “settings.xml.rels”. This technique is popularly known as “Template Injection” as well and is popular among threat actors since the detection is trivial. “essa.dotm” As soon as the user disables “Protected View”, the previous stage downloads and executes “essa.dotm” which further executes the macros. ----- _Fig.3 Extracting Data_ All the data of staged payloads are stored inside “UserForum.TextBox”. The macro has four text boxes as object, containing all the data to be dropped on disc as files and initiate further stages. _Fig.4 Routine for Saving all the files_ **Executable Payload Analysis:** “fixit.exe”: This tends to behave as loader unless command is not issued from command and control. The payload is completely new, written in .NET and does not perform too many actions. ----- _Fig.5 Information collection_ The payload comes with .scr extension and once executed, it collects the following information about infected host using WMI Queries: 1; Processer ID. 2; User Name. 3; General Details (Architecture, Caption, Version). 4; Check for Device Type (Laptop/Desktop). 5; Device Model. _Fig.6 Initial knock being sent to C2_ ----- Once information is collected about the host, the payload sends it to C&C and performs following actions according to command issued from C&C: 1; Get Process List. _Fig.7 Sending Running Process List_ If command “q7&F%2 ” is issued from C2, payload sends list of running processes by using “Process.GetProcesses()” and creates an array of list. 2; Write and Execute Files: ----- _Fig.8 Write and Execute Routine_ Once C2 responds back with command, the payload receives files and execute on current folder. **Persistence:** _Fig.9 Creating Persistence_ Payload gains persistence on infected host by writing LNK file to “Startup Folder”. It’s a well-known technique used by other threat actors. Payload loads an assembly which is publicly available called “IWshRuntimeLibrary.dll” and tries to create a LNK file in target folder giving reference to running payload’s working directory. ----- _Taken from – https://www.aitpune.com/Notices/Scholarship/ESSA-Circular.pdf_ Once whole chain executed successfully, the macro opens PDF file dropped in ProgramData directory, which is publicly available. **Conclusion:** If the attack is successful, attackers they may be able to exfiltrate sensitive data from the victim machine. Our further analysis and observation is still on to identify which group is behind this attack. Till then, we advise AWES to exercise caution and inform all their members about this attack. **MITRE ATT&CK TTPs:** Spear Phishing with Attachment T1566.001 Template Injection T1221 User Execution: Malicious .docx and xls T1204.002 Write Files to disc T1006 ----- Connects to Command And Control TA0011 Persistence: Write LNK file to Startup Folder T1547.001 **How Quick Heal protects its users:** We have the following detections for the malicious samples: VBA.Trojan.41523 O97M.Downloader.41522 Trojan.Perseus.S19235058 Trojan.Perseus.S19221636 Trojan.MSIL Also, the domains and IPs used are classified as malicious by Quick Heal URLCAT. **IOCs:** **Documents: CVE-2017-0199** 74e41223ec6359a9bd05bbce36b452fd046aaad64617f459ba262a5210925942 ESSA-Scholarships.docx d035e96f54abe59dcdbc2156e55cd0135ec420f8e97aca7f109ee8d062baa755 irlaforyou.docx d4b36731cb37ad05b0b9678b568c10a56f2e84967b393b626afb19d2df41c9b9 SARS_Eligible_Clubs___Resorts.xls **Templates :** fc3dd043b795a1cedb8b7e1e5471f15c0b5c17c237f634c60c4e0a92d980914b essa.dotm 108a5035ab40b13b489f8a1fb8fd8bdb5880368c9c18e1d244df23b8d5a26d67 temp.dotm 9fc84eadba969bd12cda144750cef361bcdff224026eb3921d8d46a5a424da5b temp.dotm **Executables:** d0a5ffa3b9c40eb1e4277e7c41a100b0836c9424b36fb9bbe281711c0b116883 fixit.exe 4c21c88399d95a3602aaacf85a83c8aaac5ae7b6bf192c4c25cef4f9224b6f7b pixelworks.exe 2491caddf4445d9297404493c7707b54591c989b94fd4634a7afdf54c0d22e9c sapesvx.exe 979f7952dd2225c149f1766b4bca020b680364a77ddb6006cfa462543e0a6440 winsuffix.exe c7dbca435039a6148dc25208f04b734465e8b7c92010ede1401d88f5f8003f2d foxpackage.exe 871cab3256acdbc3c27650adde878658568a85b87e85d3e3c137bdeb4592fb2c amdSfx.exe 1eb0d373cea19124687ed4bffb0da3f80f98a18b9e0bebd3c12443f0a3d81689 modempx.exe 814ed2b9ae0770d727a8cd83581b4865b2abe16f8190240c5c1e821e22a280ab foxpackage.exe dd47cf8ec70658af85e0cd23922462ac788305034fe78ed725bb90c1a3fa04cc scriptpbox.exe **Domains:** ----- templatesmanagersync.info 10feeds.com **Landing Pages:** hxxp://templatesmanagersync.info/essa.dotm hxxp://10feeds.com/temp.dotm **IP :** 173.249.14.104 **Subject matter Experts:** Chaitanya Haritash Shayak Tarafdar Chaitanya Haritash works as Security Researcher in Security Labs at QuickHeal. His main focus is on hunting unique threats and writing detection. Chaitanya is... [Articles by Chaitanya Haritash »](https://www.seqrite.com/blog/author/chaitanya/) ## No Comments Leave a Reply.Your email address will not be published. -----