# APT Group Targets Indian Defense Officials Through

 Enhanced TTPs

[During our routine threat hunting exercise, Cyble Research Labs came across a malware sample posted on Twitter by a](https://twitter.com/s1ckb017/status/1435888576710029315)

researcher who believes that the malware belongs to Transparent Tribe, an Advanced Persistent Threat (APT) Group.

Given the nature of the victim and the way they are targeted, we can draw some similarities to the Side Copy APT group.

Both APT groups are known to have mainly targeted India’s Defense and Government sectors in the past. Additionally, both

groups have used various other RAT and malware to launch campaigns via multiple modes such as phishing, delivering

payload via mail, etc. The malware posted by the researcher on Twitter has used a technique to hide the actual malware in

[the .vhdx file to avoid any antivirus detection. As per Wikipedia, .vhdx is the successor of VHD (Virtual Hard Disk).](https://en.wikipedia.org/wiki/VHD_%28file_format%29)

The figure below shows the high-level execution flow of the malware. Upon execution, the malware checks for the current

time zone. If it is able to verify that the victim system’s time zone is in IST, it connects to the attacker’s URL for downloading

the second stager. Once downloaded, it executes the second stager payload and deletes itself.

The second stager payload checks that only one instance of the malware is running, and then it connects with the attacker’s

Command and Control (C&C) server to start receiving the commands from Threat Actor (TA).

Figure 1 High-Level Execution Flow of Malware

## Technical Analysis

Cyble Research started analysis with the malware file name AFD CSD APP.vhdx; the sample had an extension. vhdx. After

double-clicking on the AFD CSD APP.vhdx we observed it creating a mount in the Operating System (OS) with the name

“CSD App“. After opening the mounted drive, we got the malicious malware file which is CSD_AppLaunch.exe.

Figure 2 Actual Malware present in CSD APP Mount

While performing a static analysis of the CSD_AppLaunch.exe malicious file, we determined that that the file is an x86


-----

Figure 3 Static Details of First Stager

The icon of the malicious app had the logo of the Canteen Store Department (CSD) of the Indian Armed Forces, as shown

in the figure below.

Figure 4 Application Logo Used for First Stager

### Code Analysis (CSD_AppLaunch.exe)

As per the below code, once the malware has been executed, it checks whether the current OS time Zone is India Standard

Time (IST); if the OS time is not in IST, the malware exits. This tells us that the malware has been created with the explicit

purpose of targeting the Indian Defense establishment and service members.

Fi 5 M l Ch k f Ti Z


-----

and load the Form1_Load module to execute the malicious malware code.

Figure 6 Malware Loading Indian CSD Website in Custom Browser and Execute Form1_Load

Once the Form1_Load method is called, the code shown in Figure 7 creates a directory in C:\\ProgramData as “Intel Wifi*”.*

If this directory is not present, it will be created, Once the directory is present, the malware proceeds to download the next

stager payload from URL https[:]//secure256[.]net/ver4.mp3. Then, the malware decrypts the ver4.mp3 content to create

IntelWifi.exe malicious binary in C:\\ProgramData\\Intel Wifi as shown in the code below.

Figure 7 Create Folder in ProgramData and Download Second Stager

The code below contains the decryption logic used by the malware to decrypt the content of ver4.mp3 file.


-----

Figure 8 Decrypt Second Stager

Finally, the first stager malware calls the Final method to create a new file name music.mp3 which contains the decrypted

data of ver4.mp3 in the C:\\ProgramData directory.

After this step, it sleeps for 6 seconds and then uses the Move function to rename the music.mp3 file to IntelWifi.exe. It then

sleeps for five more seconds and then executes IntelWifi.exe binary and delete CSD_AppLaunch.exe (first stager) binary as

shown in the figure below.

Figure 9 Create Second Stager Binary IntelWifi.exe

### Technical Analysis for IntelWifi.exe (Second Stager)

Static analysis of IntelWifi.exe tells that the binary is an x86 architecture Windows-based Graphical User Interface (GUI)

application written in .NET language as shown in the figure below.


-----

Figure 10 Static Details of IntelWifi (Second Stager)

As per the below code, initially, the malware checks that only a single instance of a malware process is running. Then, it

checks whether the current time zone is India Standard Time. Further, it calls CheckDirectory() method to create \\Intel Wifi

directory and vmnx.dll file. Finally, it calls the Form1 module to execute the malicious codes.

Figure 11 Second Stager Malware Performing Various Checks

Form1() module calls IntializeComponent method, which in turn loads the Form1_Load method. The Form1_Load then calls

Run() method to start the malware activity as shown in the figure below.


-----

Figure 12 Execution Flow to Initiate the Malicious Activity

The Run code is shown in Figure 13. Once executed, it connects to the attacker’s C&C on address

45[.]147[.]228[.]195[:]5434. After establishing contact with the C&C server, it calls the Run method from the Grabber class to

execute a series of methods to get the victim’s environment details, e.g., OS, current username, etc. Once the victim’s

environment details are extracted, the malware sends the details to the attacker’s C&C with key “x999” and then waits for

commands to be received from the attacker.

Figure 13 Malware Communicating to Attacker’s C&C and Waiting to receive the Command

Below we have listed a series of methods executed by the Run() method present in the Grabber class.


-----

|Col1|Col2|
|---|---|
|Methods|Description|
|CreateID()|Create vmvcx.dll file and Generate Victim ID based on processor detail and P-Followed by random number and write the ID is vmvcx.dll file. E.g., PXXX-XXXXXXXXXXXX|
|Name()|Get the Computer Name and Current Username|
|PubIp()|Get the Victim’s public IP using http://icanhazip[.]com|
|LocIp()|Get the Victim’s Local IP|
|OSType()|Get the Victim’s Operating System (OS) details|
|Av()|Get the AV’s List present in Victim’s Machine|
|MacType()|Check whether Victim’s is using desktop or Laptop|
|CreateNonStop()|Add persistence in Startup Folder|


Table 1 Methods Description Which Malware invokes

The below figure shows that the cynetcloud shortcut file is created in the startup folder using CreateNonStop() method. The

value file:///C:\ProgramData\Intel Wifi\IntelWifi.exe executes whenever the Windows machine starts. This is done for the

purpose of creating and maintaining persistence on the victim machine.

Figure 15 Malware Created Persistent in Start-Up Folder

Once all the methods are executed, as shown in Table 1, the malware sends the user data to Attacker’s C&C. In the figure

below, the malware has connected to our fake emulated C&C.

Figure 16 Malware Connected to Fake C&C

Once connected, the malware sends the victim’s environment details. The malware goes into a dormant stage to get the

next command from the attacker’s C&C.

For example in the below figure we have sent “prc1” to the malware to get the process details of the victim


-----

Figure 17 Output Received from malware

Below is the code used by the malware to handle the commands received from C&C.

Figure 18 Various Functionalities which Malware Support basis on the Command Received from C&C

## Conclusion

The APT groups are evolving their tools and techniques to stay ahead of various security solutions like AV & EDR. Based

on the fact that this malware has multiple artifacts such as the logo, the URL used in the initial code, we can conclude that

the malware has been created specifically to target Indian Defense or Government officials.

Cyble Research Labs will continuously monitor security threats, whether they are ongoing or emerging. We will continue to

update our readers with our latest findings.


-----

recommend that our readers follow the suggestions given below:

Use a reputed anti-virus and internet security software package on your connected devices.

Use the shared IOCs to monitor and block the malware infection.

Conduct regular backup practices and keep those backups offline or in a separate network.

Refrain from opening untrusted links and email attachments without verifying their authenticity.

Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever

possible and pragmatic.

Use strong passwords and enforce multi-factor authentication wherever possible.

## MITRE ATT&CK® Techniques

**Tactic** **Technique ID** **Technique Name**

**Execution  ** [T1204](https://attack.mitre.org/techniques/T1204/) User Execution

**Persistence** [T1547](https://attack.mitre.org/techniques/T1547/) Boot or Logon Autostart Execution

[T1057](https://attack.mitre.org/techniques/T1057/) Process Discovery

[T1124](https://attack.mitre.org/techniques/T1124/) System Time Discovery

**Discovery**

[T1033](https://attack.mitre.org/techniques/T1033/) System Owner/User Discovery

[T1082](https://attack.mitre.org/techniques/T1082/) System Information Discovery

[T1095](https://attack.mitre.org/techniques/T1095/) Non-Application Layer Protocol
**Command and Control**

[T1571](https://attack.mitre.org/techniques/T1571/) Non-Standard Port

## Indicators of Compromise (IoCs):

**Indicator**
**Indicators** **Description**
**type**

**124023c0cf0524a73dabd6e5bb3f7d61d42dfd3867d699c59770846aae1231ce** SHA-256 IntelWifi.exe

**84841490ea2b637494257e9fe23922e5f827190ae3e4c32134cadb81319ebc34** SHA-256 CSD_AppLaunch.exe

**5e645eb1a828cef61f70ecbd651dba5433e250b4724e1408702ac13d2b6ab836** SHA-256 AFD CSD APP.vhdx

**http://secure256[.]net/** URL Second Stager URL

**45.147.228.195:5434** IP:Port Attacker’s C&C

## Generic signatures and Rules:

 Yara Rules:

|Col1|Col2|Col3|
|---|---|---|
|Tactic|Technique ID|Technique Name|
|**Execution **|T1204|User Execution|
|Persistence|T1547|Boot or Logon Autostart Execution|
|Discovery|T1057 T1124 T1033 T1082|Process Discovery System Time Disco very System Owner/User Dis covery System Information Discovery|
|Command and Control|T1095 T1571|Non-Application Layer Protocol Non-Standard Port|

|Indicators of Compromise (IoCs):|Col2|Col3|
|---|---|---|
||||
|Indicators|Indicator type|Description|
|124023c0cf0524a73dabd6e5bb3f7d61d42dfd3867d699c59770846aae1231ce|SHA-256|IntelWifi.exe|
|84841490ea2b637494257e9fe23922e5f827190ae3e4c32134cadb81319ebc34|SHA-256|CSD_AppLaunch.exe|
|5e645eb1a828cef61f70ecbd651dba5433e250b4724e1408702ac13d2b6ab836|SHA-256|AFD CSD APP.vhdx|
|http://secure256[.]net/|URL|Second Stager URL|
|45.147.228.195:5434|IP:Port|Attacker’s C&C|

```
rule win32_csdmalware

{ 
meta: 
  author= "Cyble Research"
  date= "2021-09-14"
  description= "Coverage for CSD_Application.exe & IntelWifi.exe"

```
```
  csd_application_hash= "84841490ea2b637494257e9fe23922e5f827190ae3e4c32134cadb81319ebc34

```
```
"
  intelwifi_hash= "124023c0cf0524a73dabd6e5bb3f7d61d42dfd3867d699c59770846aae1231ce"
strings: 
  $header= "MZ"

```

-----

```
  $sig3 = "MacType" wide ascii
  $sig4 = "45.147.228.195" wide ascii
  $sig5 = "qmquqsqiqcq.qmqpq3q" wide ascii
  $sig6 = "secure256.net" wide ascii
  $sig7 = "ver4.mp3" wide ascii
  $sig8 = "x33117" wide ascii
condition: 

  $header at 0 and (3 of ($sig*)) 
}

```

## **About Us **

[Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure](https://cyble.com/)

in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y

Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best

Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore,

and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.


-----