# Manufacturer

**cysinfo.com/cyber-attack-targeting-indian-navys-submarine-warship-manufacturer/**

2/10/2017

[In my previous blog posts I described attack campaigns targeting Indian government organizations, and Indian](https://cysinfo.com/malware-actors-using-nic-cyber-security-themed-spear-phishing-target-indian-government-organizations/)
Embassies and Ministry of External affairs. In this blog post I describe a new attack campaign where cyber
espionage group targeted the users of Mazagon Dock Shipbuilders Limited (also called as ship builder to the
**_[nation). Mazagon Dock Shipbuilders Limited (MDL) is a Public Sector Undertaking of Government of India (Ministry](https://en.wikipedia.org/wiki/Mazagon_Dock_Limited)_**
of Defence) and it specializes in manufacturing warships and submarines for the Indian Navy.

In order to infect the users associated with Mazagon Dock Shipbuilders Limited (MDL), the attackers distributed
spear-phishing emails containing malicious excel file which when opened drops a malware capable of spying on
infected systems. The email purported to have been sent from legitimate email ids. The attackers spoofed the email
[id associated with a Spain based equipment manufacturing company Hidrofersa which specializes in designing,](http://hidrofersa.com/?lang=en)
manufacturing naval, industrial and mining machinery.

**Overview of the Malicious Emails**

[On 26th January, 2017 Indian Navy displayed its state-of-the-art stealth guided missile destroyer INS Chennai and](https://en.wikipedia.org/wiki/INS_Chennai_(D65))
[the indigenously-made Kalvari class Scorpene submarines at the Republic Day parade showcasing India’s military](https://en.wikipedia.org/wiki/Kalvari-class_submarine)
strength and achievements. INS Chennai and Kalvari class submarines were manufactured by Mazagon Dock
Shipbuilders Limited (MDL).

On 25th January (day before the Republic day) attackers spoofed an email id associated with Hidrofersa a Spain
based company which specializes in designing, manufacturing naval, industrial and mining machinery and the email
was sent to the users of Mazagon Dock Shipbuilders Limited (MDL). The email attachment contained two malicious
excel files (both excel files turned out to be same but used different names). The email was made to look like it was
sent by a General service manager of Hidrofersa enquiring about the product delivery schedule.


-----

Mazagon Dock Shipbuilders Limited (MDL) is listed as one of clients of Hidrofersa (mentioned in Hidrofersa
website) and as per their website Hidrofersa has shipped equipments to Mazagon Dock Shipbuilders Limited (MDL)
in the past as shown in the below screen shots. This is probably the reason attackers spoofed the email id of
Hidrofersa as it is less likely to trigger any suspicion and there is high chance of recipients opening the attachment
as it is coming from a trusted equipment manufacturer (Hidrofersa) . It looks like attackers carefully researched (or
they already knew about) the trust relationship between these two companies.

From the email it looks like the goal of the attackers was to infect, take control of the systems of users associated
with Mazagon Dock Shipbuilders Limited (MDL) and to steal sensitive information (like Product design documents,
blueprints, manufacturing processes etc) related to warships and submarines.

**Analysis of Malicious Excel File**

When the recipient of the email opens the attached excel file it prompts the user to enable macro content and the
excel also contains instruction on how to enable the macros.


-----

Once the the macro content is enabled, it calls an auto execute function Workbook_Open() which in turn downloads
the malware sample and executes on the system. The malicious macro code was reverse engineered to understand
its capabilities. The macro code was heavily obfuscated (used obscure variable/function names to make analysis
harder) as shown below.

The macro also contained lot of junk code, unnecessary comments and variable assignments as shown below. The
attackers used this technique to delay, divert and confuse the manual analysis.


-----

The macro then decodes a string which runs PowerShell script to download malware from a popular university site
located in Indonesia as shown below. The attackers probably compromised the university website to host the
malware. The technique of hosting malicious code in a university site (legitimate site) has advantages and it is
unlikely to trigger any suspicion in security monitoring and also can bypass reputation based devices.

The PowerShell script (shown below) drops the downloaded executable in the %TEMP% directory as “doc6.exe“. It
then adds a registry entry for the dropped executable and invokes eventvwr.exe, this is an interesting registry hijack
technique which allows the doc6.exe to be executed by _eventvwr.exe with high integrity level and also this_
technique silently bypasses the UAC (user account control). This technique of UAC bypass is mentioned in the blog
[“Fileless” UAC Bypass Using eventvwr.exe and Registry Hijacking](https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/)


-----

opens eventvwr.msc causing the Event Viewer to be displayed. To start mmc.exe, _eventvwr.exe searches this_
registry key “HKCU\Software\Classes\mscfile\shell\open\command” looking for mmc.exe before looking at
_HKCR\mscfile\shell\open\command._

In this case since this registry “ HKCU\Software\Classes\mscfile\shell\open\command” was hijacked to contain the
entry for “doc6.exe”, this will cause the eventvwr.exe process to invoke doc6.exe with high integrity level.

Below screen shot shows doc6.exe running from the %TEMP% directory

The dropped file (doc6.exe) was determined as KeyBase malware. This malware can steal and send sensitive
information to the attackers like keystrokes, opened applications, web browsing history, usernames/passwords,
upload Desktop screen shots etc. The feature of uploading the Desktop screen shot is notable because if the
infected user opens a design or design document related to submarines or warships the screen shot of that can be
sent to the attacker.

The attackers also hosted multiple samples of KeyBase malware in the compromised university website. Below
screen shot shows hashes of 25 samples hosted on the university site.


-----

**Analysis of the Dropped Executable (doc6.exe)**

The dropped file was analyzed in an isolated environment (without actually allowing it to connect to the c2 server).
This section contains the behavioral analysis of the dropped executable

Once the dropped file (doc6.exe) is executed the malware copies itself into %AllUsersProfile% directory as
_“Important.exe”, In addition to that it also drops two files_ _“Mails.txt” and “Browsers.txt” into the same directory as_
shown below.

The malware then creates a registry value for the the dropped file (Important.exe), this ensures that malware is
executed every time the system restarts.


-----

The malware after execution keeps track of the user activity (like applications opened, files opened etc) but does not
immediately generate any network traffic, this is to make sure that no network activity is generated during
automated/sandbox analysis. After sleeping for a long time malware makes an http connection to the C2 server
(command & control server) and sends the tracked user activity to the attacker. The below screen shot shows the
communication to the C2 server on port 80.

**C2 Communication Pattern**

Once malware makes an http connection after sleeping for a long time, it sends the system information and the
tracked activity to the C2 server as http parameters. Below screen shot shows the network communication pattern
where the hostname and the machine time is sent to C2 server.

Below screen shot shows a network communication pattern where the opened window title was sent to the C2
server, this pattern below indicates that “test.txt” file was opened with notepad on the infected system.


-----

Below screen shot shows a network communication pattern indicating a document named _“secret.docx” was_
opened with Microsoft Word.

Below screen shot shows a network communication pattern indicating _Internet Explorer was launched on the_
infected system.

Every activity on the infected system is sent to the attacker, this allows the attacker to take further action and also
since the open window title is sent to attacker, this lets the attacker know about the documents opened and the tools
running on the system or if any analysis tools are used to inspect the malware.

**C2 Domain Information**

This section contains the details of the C2 domain (tripleshop[.]id). All the 25 samples hosted on compromised
university site was analyzed and it was determined that all these samples also communicated to the C2 domain
_tripleshop[.]id_


-----

Indonesia as shown in the screen shots below

Below screen shot shows the timeline when the IP address was active. The IP was first seen to be active on 18th
Jan, 2017 (one week before the spear-phishing mail was sent to the victims).

**Threat Intelligence**

Even though attackers tried to make it look like the spear phishing email was sent by an email id associated with
Hidrofersa but inspecting the email headers revealed some interesting information.

The X-AuthUser in the header below revealed the identity of the sender. The sender is associated with a company
named “Combined Freight (PVT) Limited” (combinedfreight[.]com)


-----

Combined Freight (PVT) Limited is freight forwarding company which is into ocean & air freight business
headquartered in Karachi, Pakistan (as per their website). This company has 4 other offices in Pakistan (Lahore,
Islamabad, Sialkot, Faisalabad). Below is the screen shot taken from their website.


-----

Based on the information mentioned above, It looks like the spoofed email was sent by a user associated with a
Pakistan based company Combined Freight (PVT) Limited.

**Indicators Of Compromise**

In this case the cyber espionage group targeted _Mazagon Dock Shipbuilders Limited (MDL) but it is possible that_
other defense equipment manufacturers could also be targeted as part of this attack campaign. The indicators
associated with this attack are provided so that the organizations (Government, Public, Private organizations,
Defense and Defense equipment manufacturers) can use these indicators to detect, remediate and investigate this
attack campaign. Below are the indicators

**_Dropped Malware Sample:_**
_08f2fc9cb30b22c765a0ca9433b35a46_

**_Samples hosted on the compromised University site:_**
_6c94b4c7610d278bf8dfc3dbb5ece9ce_
_a81eaed8ae25f5fa5b107cbc6fe6e446_
_9a708879fd0a03d4089ee343c9254e5b_
_069629248742f9d762f66568ba7bcec8_
_6455a43366f4da09429738076e7f289c_
_34d5a3d6ae3c1836e0577b6f94ee0294_
_6eee8a69bc40b104931abdd68509df85_
_01c85dd7d8202765331a5cc818948213_
_42664aa65c473832a5c0df62c8b38d68_
_18e7480894149194f2cd17ee40d0ad7b_
_575b4b449a12f2bed583f2a59485f776_
_eae013aec7f45661223ea115ee38cc95_
_33b9c2c2cbecd4a4844057491b02379e_
_bf499821c935e67e0fb606915453a964_
_42e411bcb48240fb44c48327b81d8c57_
_efaa8d161bbe6342204ffa5b1b22ed0c_
_4623d0e188dc225de8dcd494c7802f7f_
_3cba51905a78bd221a2433ee180111c0_
_a6e6a131887c0cdbf67569e1320840d8_
_08f2fc9cb30b22c765a0ca9433b35a46_


-----

_5b5edc209737b6faa3a6d6711fba1648_
_bf5e7ea70c2dab12100b91d77ca76ff2_
_34c44c9138a2d4c31391c2cc0b044c02_

**_Network Indicators Associated with C2:_**
_tripleshop[.]id_
_103[.]229[.]74[.]32_

**_C2 Communication Patterns:_**
_hxxp://tripleshop[.]id/userfiles/media/pixum/okilo/post.php_
_hxxp://tripleshop[.]id/userfiles/media/pixum/agogo/post.php_
_hxxp://tripleshop[.]id/userfiles/media/pixum/alpha/post.php_
_hxxp://tripleshop[.]id/userfiles/media/pixum/ariri/post.php_
_hxxp://tripleshop[.]id/userfiles/media/pixum/bobby/post.php_
_hxxp://tripleshop[.]id/userfiles/media/pixum/chisom/post.php_
_hxxp://tripleshop[.]id/userfiles/media/pixum/crack/post.php_
_hxxp://tripleshop[.]id/userfiles/media/pixum/declan/post.php_
_hxxp://tripleshop[.]id/userfiles/media/pixum/elber/post.php_
_hxxp://tripleshop[.]id/userfiles/media/pixum/figure/post.php_
_hxxp://tripleshop[.]id/userfiles/media/pixum/henry/post.php_
_hxxp://tripleshop[.]id/userfiles/media/pixum/ike/post.php_
_hxxp://tripleshop[.]id/userfiles/media/pixum/jizzy/post.php_
_hxxp://tripleshop[.]id/userfiles/media/pixum/kcc/post.php_
_hxxp://tripleshop[.]id/userfiles/media/pixum/kc/post.php_
_hxxp://tripleshop[.]id/userfiles/media/pixum/matte/post.php_
_hxxp://tripleshop[.]id/userfiles/media/pixum/nels/post.php_
_hxxp://tripleshop[.]id/userfiles/media/pixum/notes/post.php_
_hxxp://tripleshop[.]id/userfiles/media/pixum/polish/post.php_
_hxxp://tripleshop[.]id/userfiles/media/pixum/turbo/post.php_
_hxxp://tripleshop[.]id/userfiles/media/pixum/whesilo/post.php_
_hxxp://tripleshop[.]id/userfiles/media/pixum/yboss/post.php_
_hxxp://tripleshop[.]id/userfiles/media/pixum/yg/post.php_

**Conclusion**

Attackers in this case made every attempt to launch a clever attack campaign by spoofing legitimate email ids and
using an email theme relevant to the targets. The following factors in this cyber attack suggests the possible
involvement of Pakistan state sponsored cyber espionage group to steal the intellectual property such as
design/blueprints and manufacturing data related to submarines and warships.

_Victims/targets chosen (Submarine & Warship manufacturer for Indian Navy)_

_Use of Email theme related to the targets_

_Timing of the spear phishing emails sent to the victims (The day before the Republic Day)_

_Email header information indicating the possible Pakistan connection_

_Use of malware that is capable of spying and uploading screen shots_

_Use of TTP’s (tactics, techniques & procedures) similar to the_ _[previous campaign](https://cysinfo.com/uri-terror-attack-spear-phishing-emails-targeting-indian-embassies-and-indian-mea/)_

The following factors reveal the attackers intention to remain stealthy and the attempt to evade sandbox analysis,


-----

_Use of junk code (to divert the manual analysis)_

_Use of compromised university site to host malicious code (to bypass security monitoring)_

Use of Silent UAC (user account control) bypass technique

_Use of Malware that sleeps for long time without generating any network activity (to evade sandbox analysis)_

_Use of hosting provider to host C2 infrastructure_

Cyber espionage groups will continue targeting defense sectors and defense equipment manufacturers for the
following reasons:

_To steal defense related information and proprietary product information that can provide their sponsoring_
_governments with military and economic advantages._

_To identify vulnerabilities in the defense technologies to gain advantage over adversary’s military capabilities_

_To reduce their research and development costs and produce and sell similar products at lower prices_

**References**

[http://researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/](http://researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/)

[http://www.brycampbell.co.uk/new-blog/2015/7/14/keybase-malware](http://www.brycampbell.co.uk/new-blog/2015/7/14/keybase-malware)

http://researchcenter.paloaltonetworks.com/2016/02/keybase-threat-grows-despite-public-takedown-a-picture-isworth-a-thousand-words/

[https://www.fireeye.com/current-threats/reports-by-industry/aerospace-threat-intelligence.html](https://www.fireeye.com/current-threats/reports-by-industry/aerospace-threat-intelligence.html)

[Follow us on Twitter: @monnappa22](https://twitter.com/monnappa22) [@cysinfo22](https://twitter.com/cysinfo22)


-----