## Targeted Attack on Government Agencies

**[trellix.com/en-us/about/newsroom/stories/threat-labs/targeted-attack-on-government-agencies.html](https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/targeted-attack-on-government-agencies.html)**

### Stories

The latest cybersecurity trends, best practices,

security vulnerabilities, and more

By **[Sushant Kumar Arya,](https://www.trellix.com/en-us/about/newsroom/stories/contributors/sushant-kumar-arya.html)** **[Mohsin Dalla · July 13, 2022](https://www.trellix.com/en-us/about/newsroom/stories/contributors/mohsin-dalla.html)**

### Executive summary

The Trellix Email Security Research Team has discovered a malicious campaign targeting
government agencies of Afghanistan, India, Italy, Poland, and the United States since 2021.
The attack starts with a spear phishing email with a geo-political theme. The spear phishing
emails were themed around India Afghanistan relationship. Attacker used politics as a lure to
trick users into clicking on a malicious link. The email used for this phishing attack contains an
attachment or a weaponized URL that delivers an Excel sheet. Upon opening the Excel sheet,
Excel executes an embedded malicious macro which then decrypts and installs a Remote
Access Trojan (AysncRAT & LimeRAT) and maintains persistence. Once the Remote Access
Trojan is installed on the victim machine, it establishes communication with a Command-andControl server used to exfiltrate victim data. The Remote Access Trojan is capable of taking
screenshots, capturing keystrokes, recording credentials/confidential information, and adding
infected systems to botnets. It can also perform network discovery and move laterally to other
systems in the affected organization. The email used in this attack originated from the South
Asia region which suggests the involvement of a South Asian threat actor. Trellix Email
Security has detection coverage for this malicious campaign.


-----

**Figure 1. Target countries**

### Threat landscape

The Trellix Email Security product can follow the entire attack chain and analyze the final
payload. In this scenario, it followed the chain: EMAIL -> URL -> ZIP -> XLS -> Macro. Finally,
our threat database was able to detect the malicious macro performing decryption, creating an
executable object, performing process injection, and utilizing other malicious techniques. Trellix
Email Security has detection for the malicious Excel sheet with name **FE_APT_Dropper_Macro_DoubleHide_1.**

**Figure 2. Attack timeline**

### Attack timeline

As seen in Figure 2, the attack was active for over a year. The attacker sent emails for a short
interval and then went back into hiding. This was followed by subsequent similar waves. The
first wave of attack was noticed during March-April 2021, followed by another in July 2021,


-----

then again in December 2021, and most recently during end of March 2022.

### Email details

The attackers used the free mail service Gmail to send the spear phishing emails. Based on
email header analysis, it was evident that the emails originated from Google servers and were
sent from the South Asia region. The time zone of the email sender (+0500 UTC) further
suggests the involvement of South Asian threat actors.

**Figure 3. Email headers**

The spear phishing email was themed around geopolitical news related to India like "Indian
**Nationals ( who were hidden in Kabul ) Killing in Kabul Tonight" and “Indian workers**
**missing from the dam project.” More recently, the email used a COVID theme with the**
subject - "31 Covid Deaths In 24 Hours: Information campaign by NDTV". The email had a
Google drive link serving a malicious ZIP file. In some cases, the malicious ZIP was sent as an
email attachment. The ZIP contains an Office document which is used to drop a RAT (Remote
Access Trojan).


-----

**Figure 4. Email sample**

**Figure 5. Attack chain**

### Technical details

The document file (DOC/XLS) acts as a dropper, which drops and executes a file named
"msword.exe". The Excel sheet contains a VBA macro which is enabled when the document
file is opened. The malicious executable code is stored in the document file itself (within a form
text field) in the base64 encoded format. The VBA macro reads the base64 content, decodes
it, and then decrypts the decoded content with a hardcoded XOR key. Multiple levels of base64
decoding and XOR decryption are used to obfuscate the malicious executable file.


-----

**Figure 6. XLS with macro**

**Figure 7. Macro code: Workbook Open**

**Figure 8. Macro code: Main function which is called inside Workbook Open event**


-----

XOR Key :
"MxjnbvbX%$#@c%%!@#$C%^&*
(K(*&K0^%$W$@!&@#$C%EGGGxcel^MicrosoLKHGFD^%$W@2017!&^%$#lx^&%$0"

**Figure 9. Macro code: XOR function**
“msword.exe” is an SFX archive executable, which contains multiple malicious executable files
as shown in Figure 10.

**Figure 10. msword.exe contents**

**File name** **File info**

3_5 LimeRAT [Runtime: .Net Framework 2.0]

4 AsyncRAT [Runtime: .Net Framework 4]

4_5 AsyncRAT [Runtime: .Net Framework 4.5]

4_5_1 AsyncRAT [Runtime: .Net Framework 4.5.1]


-----

4_5_2 AsyncRAT [Runtime: .Net Framework 4.5.2]

4_6 AsyncRAT [Runtime: .Net Framework 4.6]

4_6_1 AsyncRAT [Runtime: .Net Framework 4.6.1]

4_7 AsyncRAT [Runtime: .Net Framework 4.7

4_7_2 AsyncRAT [Runtime: .Net Framework 4.7.2]

igfx.exe Delphi compiled file installs RAT file according to available .Net version

Upon execution, "msword.exe" drops the RAT files shown in the table above. These RAT
executables are obfuscated using “Crypto Obfuscator For .Net”. “msword.exe” then starts the
process “igfx.exe” which performs the following actions:

Checks the .NET version in the registry; based on the installed version, renames the
compatible RAT file to “excel.exe”
Checks the registry keys to determine the .NET version in the order listed below. If found,
a version of the runtime file (AsyncRAT) is picked corresponding to the .NET version. If
none of the registry keys are found, the file “3_5” (LimeRAT) is used.

HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4
HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.5
HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.5.1
HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.5.2
HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.6
HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.6.1
HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.7
HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.7.2
Sets the file attributes of “excel.exe” to hidden and read-only.
Adds a “Run” registry entry for persistence.
Deletes the unused RAT executable files.
Starts the “excel.exe” process.

**Figure 11. Process chain**

**Figure 12. Run registry entries**

Both [AsyncRAT and](https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp) [LimeRAT source code are publicly available.](https://github.com/NYAN-x-CAT/Lime-RAT)


-----

### Async rat settings configuration

Ports = "6606”
Hosts = "107.173.143.111"
Version = "2.5.7b"
Install = "false"
InstallFolder = "AppData"
InstallFile = "msexcl.exe"
Key = "MZ-RX
MTX = "%MTX%";
Certificate = "%Certificate%"
Serversignature = "%Serversignature%"
X509Certificate2 ServerCertificate;
Anti = "false";
Aes256 aes256 = new Aes256(Key);
Pastebin = "null";
BDOS = "false";
Delay = "24";
Group = "Debug";

### Async rat commands

**Server Commands**

pong Get interval from client

plugin Run/Load plugin file

saveplugin Save and Run plugin file

**Client Commands:**

clientinfo Send system info to server

ping Ping server

sendplugin Get plugin from server

### Lime rat settings configuration

_Pastebin = "https://pastebin.com/raw/DDTVwwbu"_
_HOST = "107.173.143.111"_
_PORT = "8989"_


-----

_EncryptionKey = MZRX_
_ENDOF = "|'N'|"_
_SPL = "|'L'|"_
_EXE = "CLIENT.exe"_
_USB = "false"_
_PIN = "false"_
_ANTI = "false"_
_DROP = "false"_
_PATH1 = "Temp"_
_PATH2 = "\Lime\"_
_fullpath = Environ(PATH1) & PATH2 & EXE_
_BTC_ADDR = "THIS IS YOUR BTC 1234567890" 'Bitcoin address_
_DWN_CHK = "true"_
_DWN_LINK = ""_
_Delay = "3"_

### Lime rat commands

**Server Commands**

IPSend Run timer

IP Stop timer

ICAP Capture screen Thumbnail

CPL Check if plugin is installed

IPL Save plugin and then load it (server send plugin)

IPLM Load plugin without saving it (server send plugin)

**Client Commands**

INFO Sends system info

IP Ping to server

IPStart Timer started

#CAP Sending Thumbnail

GPL Get plugin from server

MSG Send Message


-----

These RATs can extend their capabilities using existing or user-defined plugins. At the time of
analysis both AsyncRAT and LimeRAT were not getting responses from the C2 server
“107.173.143.111”

**Detections and Indicators**

FE_APT_Dropper_Macro_DoubleHide_1

**MITRE ATT&CK Techniques**


T1071 Application Layer
Protocol


HTTP/DNS requests are used in the C&C traffic


T1036 Masquerading The registered task/service pretends to be benign by
name

T1056 Input Capture Keylogging capabilities

T1113 Screen Capture Can capture the screen of the victim

T1115 Clipboard Data Collect data stored in the clipboard from users copying
information within or between applications.


T1049 System Network
Connections Discovery

T1547 Boot or Logon
Autostart Execution


Performs network discover for lateral movement into
network

Run entry is made when persisting via the registry


T1204 User Execution Opening malicious xls to execute macro


T1041 Exfiltration Over C2
Channel

T1137 Office Template
Macros

**IOCs:**

**File Name** **SHA256**


Send stolen data using CNC channel

Execute malicious code upon macro execution


3_5 7a6b87a7ba79160232579157b8ebcaea7660392d98cb6b8b3d562a383a0894bc

4 5e44f769aa9a745ade82589bbbd17c3687f2fb7c08b1043d8c5c44d28eaa20a9

4_5 fe1c8b01f5abc62551b0a3f59fe1675c66dd506d158f5de495a5d22d7445e6e9

4_5_1 fa9cb5608841f023052379818a9186496526039bc47cac05a6866f5fb0e70fc5

4_5_2 080fcc70c11248eaf34bd30c0dc9800b0b1742fe92c96c9995a1c73c0adf2336


-----

4_6 465a59b7a97364bc933703a8fda715090c6a927f814bc22a0057e6a7134cb69f

4_6_1 5e082d1c85e591aebb380d7d7af56000ac0ef5fc32e216cb5fe7027bb9861743

4_7 f59dc209ee236e5ed78f83117865164e57a223f742c75f57c20d3da4cbe179e0

4_7_2 f32b0d71274ea93f27527079371e5e926e8d6a6f29d84ac602e48da0332c9f4c

igfx.exe 8248432bcba6e8bb8731c0b8f2fbe4aae2e2d0fee2157477c83343743c39c1a8

msword.exe 06064b3b0158efbfa9d849c853a9783c7e9d07c5924275d0d33c6ac74c78eec7

Unknown.xls 886c5883113d279d97caaca2714860dfceb421c7297dbb3ee04a00b7d50b821b

Unknown.ZIP b9584cf67e73a759d6c412962d4a9d7471c703f72e056cd24742a4b78c68ff2d

**URL:hxxps://drive.Google.com/u/0/uc?id=1nU6-**
jGVnOKeZofflu8hfx2t83lAB9TPI&export=download

**CnC:107.173.143.111**

**Email Subjects:**

9th Herat Security Dialogue (HSD- IX) & Chabahar port Update

feb212021_kabul.contact@gmail.com

Information & Guidance

Fwd: Combined MoFA Recruitment Approval

Guests List - Media Release (Personal & Confidential)

Indian workers missing from the dam project

Indian Nationals ( who were hidden in Kabul ) Killing in Kabul Tonight

11 Indian Nationals found dead in Kabul

Circular

Indian Nationals Killing in Kabul

31 Covid Deaths In 24 Hours: Information campaign by NDTV

**Email Senders:**

kabul.contact@gmail.com

mashrefhaideri@gmail.com


-----

latifmahmood66666@gmail.com

fscon.kab@gmail.com

admn.kabul@gmail.com

ravish49.ndtv@gmail.com

PERSPECTIVES

#### Our CEO On Living Security


### Featured Content


By [Bryan Palma · January 19, 2022](https://www.trellix.com/en-us/about/newsroom/stories/contributors/bryan-palma.html)

Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.

[Read More](https://www.trellix.com/en-us/about/newsroom/stories/perspectives/our-ceo-on-living-security.html)

XDR

#### Time to Drive Change by Challenging the Challengers

By [Trellix · January 19, 2022](https://www.trellix.com/en-us/about/newsroom/stories/contributors/about-trellix.html)

Dynamic threats call for dynamic security – the path to resiliency lies in XDR.

[Read More](https://www.trellix.com/en-us/about/newsroom/stories/xdr/time-to-drive-change-by-challenging-the-challengers.html)

THREAT LABS

#### 2022 Threat Predictions

By [Trellix · January 19, 2022](https://www.trellix.com/en-us/about/newsroom/stories/contributors/about-trellix.html)

What cyber security threats should enterprises look out for in 2022?

[Read More](https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/2022-threat-predictions.html)

# Get the latest


-----

We’re no strangers to cybersecurity. But we are a new company.

Stay up to date as we evolve.

Please enter a valid email address.

Zero spam. Unsubscribe at any time.


-----