# MODIFIED ELEPHANT APT
 AND A DECADE OF
 FABRICATING EVIDENCE

Author: Tom Hegel, Juan Andres Guerrero-Saade February 2022 SentinelLABS Research Team


-----

## TABLE OF
 CONTENTS 3 EXECUTIVE SUMMMARY

#### 4  BACKGROUND

 5  TARGETS & OBJECTIVES

 5  INFECTION ATTEMPTS

 7  WEAPONS OF CHOICE

 11  RELATIONS TO OTHER
 THREAT CLUSTERS

 12  ATTRIBUTION

 12  CONCLUSION

 13  INDICATORS OF COMPROMISE

 18  TECHNICAL REFERENCES

 19  ABOUT SENTINELLABS


-----

## EXECUTIVE SUMMARY

- Our research attributes a decade of activity to a threat actor we call ModifiedElephant.

- ModifiedElephant is responsible for targeted attacks on human rights activists,

human rights defenders, academics, and lawyers across India with the objective of

planting incriminating digital evidence.

- ModifiedElephant has been operating since at least 2012, and has repeatedly

targeted specific individuals.

- ModifiedElephant operates through the use of commercially available remote access

trojans (RATs) and has potential ties to the commercial surveillance industry.

- The threat actor uses spearphishing with malicious documents to deliver malware,

such as NetWire, DarkComet, and simple keyloggers with infrastructure overlaps

that allow us to connect long periods of previously unattributed malicious activity.

#### S e n t i n e l L a b s Te a m


-----

### BACKGROUND

In September 2021, SentinelLabs published research into the operations of a Turkish-nexus threat

[actor we called EGoManiac, drawing attention to their practice of planting incriminating evidence](https://www.sentinelone.com/labs/egomaniac-an-unscrupulous-turkish-nexus-threat-actor/)

on the systems of journalists to justify arrests by the Turkish National Police. A threat actor willing

to frame and incarcerate vulnerable opponents is a critically underreported dimension of the cyber

threat landscape that brings up uncomfortable questions about the integrity of devices introduced

as evidence. Emerging details in an [unrelated case caught our attention as a potentially similar](https://www.washingtonpost.com/world/asia_pacific/india-bhima-koregaon-activists-jailed/2021/02/10/8087f172-61e0-11eb-a177-7765f29a9524_story.html)

scenario worthy of more scrutiny.

Long-standing racial and political tensions in India were inflamed on January 1st, 2018 when

critics of the government clashed with pro-government supporters near [Bhima Koregaon. The](https://www.theguardian.com/world/2021/aug/12/bhima-koregaon-case-india-conspiracy-modi)

event led to subsequent protests, resulting in more violence and at least one death.

In the following months, Maharashtra police linked the cause of the violence to the banned Naxalite
Maoist Communist party of India. On April 17th, 2018, police conducted raids and arrested a

number of individuals on terrorism-related charges. The arresting agencies identified incriminating

files on the computer systems of defendants, including plans for an alleged assassination attempt

against Prime Minister Modi.

Thanks to the public release of digital forensic investigation results by Arsenal Consulting and those

referenced below, we can glean rare insights into the integrity of the systems of some defendants

and grasp the origin of the incriminating files. It turns out that a compromise of defendant systems

led to the [planting of files that were later used as evidence of terrorism and justification for the](https://arsenalexperts.com/persistent/resources/pages/BK-Case-Rona-Wilson-Report-I.zip)

defendants’ imprisonment. The intrusions in question were not isolated incidents.

Our research into these intrusions revealed a decade of persistent malicious activity targeting

specific groups and individuals that we now attribute to a previously unknown threat actor named

ModifiedElephant. This actor has operated for years, evading research attention and detection

due to their limited scope of operations, the mundane nature of their tools, and their regionally
specific targeting. ModifiedElephant is still active at the time of writing.


-----

### TARGETS & OBJECTIVES

The objective of ModifiedElephant is long-term surveillance that at times concludes with the

delivery of ‘evidence’ –files that incriminate the target in specific crimes– prior to conveniently

coordinated arrests.

After careful review of the attackers’ campaigns over the last decade, we have identified hundreds

of groups and individuals targeted by ModifiedElephant phishing campaigns. Activists, human

rights defenders, journalists, academics, and law professionals in India are those most highly

targeted. Notable targets include individuals associated with the Bhima Koregaon case.

### INFECTION ATTEMPTS

Throughout the last decade, ModifiedElephant operators sought to infect their targets via

spearphishing emails with malicious file attachments, with their techniques evolving over time.

Their primary delivery mechanism is malicious Microsoft Office document files weaponized to

deliver the malware of choice at the time. The specific payloads changed over the years and across

different targets. However, some notable trends remain.

  - In mid-2013, the actor used phishing emails containing executable file attachments with

fake double extensions (filename.pdf.exe).

  - After 2015, the actor moved on to less obvious files containing publicly available exploits,

such as .doc, .pps, .docx, .rar, and password protected .rar files. These attempts involved

legitimate lure documents in .pdf, .docx, and .mht formats to captivate the target’s

attention while also executing malware.

  - In 2019 phishing campaigns, ModifiedElephant operators also took the approach of

providing links to files hosted externally for manual download and execution by the target.

   - [As first publicly noted by Amnesty in reference to a subset of this activity, the attacker also](https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/)

made use of large .rar archives (up to 300MB), potentially in an attempt to bypass detection.

[Observed lure documents repeatedly made use of CVE-2012-0158, CVE-2014-1761, CVE-2013-](https://nvd.nist.gov/vuln/detail/cve-2012-0158)

[3906, CVE-2015-1641 exploits to drop and execute their malware of choice.](https://msrc-blog.microsoft.com/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents/)

The spearphishing emails and lure attachments are titled and generally themed around topics

relevant to the target, such as activism news and groups, global and local events on climate

change, politics, and public service. A public deconstruction of two seperate 2014 phishing emails

[was shared by Arsenal Consulting in early 2021.](https://web.archive.org/web/20210421135320/https://twitter.com/ArsenalArmed/status/1384867766675595264)


-----

Fig 1: Spearphishing email containing malicious attachment attributed to ModifiedElephant

ModifiedElephant continually made use of free email service providers, like Gmail and Yahoo,

to conduct their campaigns. The phishing emails take many approaches to gain the appearance

of legitimacy. This includes fake body content with a forwarding history containing long lists of

recipients, original email recipient lists with many seemingly fake accounts, or simply resending

their malware multiple times using new emails or lure documents. Notably, in specific attacks, the

actor would be particularly persistent and attempt to compromise the same individuals multiple

times in a single day.

By reviewing a timeline of attacker activity, we can observe clear trends as the attacker(s) rotate

infrastructure over the years.

Fig 2: Timeline sample of ModifiedElephant and SideWinder C2 Infrastructure.


-----

For example, from early-2013 to mid-2016, a reasonably clear timeline

can be built with little overlap, indicating a potential evolution or

expansion of activities. Dates are based on first and last spearphishing

emails observed delivering samples that communicate with a given

domain. Notably, a separate Indian-nexus threat actor, SideWinder, is

placed alongside ModifiedElephant in this graph as they were observed

targeting the same individuals.

### WEAPONS OF CHOICE

The malware most used by ModifiedElephant is unsophisticated and

downright mundane, and yet it has proven sufficient for their objectives–

obtaining remote access and unrestricted control of victim machines.

The primary malware families deployed were NetWire and DarkComet

remote access trojans (RATs). Both of these RATs are publicly available,

and have a long history of abuse by threat actors across the spectrum

of skill and capability.

One particular activity revolves around the file _Ltr_1804_to_cc.pdf,_

which contains details of an assassination plot against Prime Minister

[Modi. A forensic report by Arsenal Consulting showed that this file, one](https://web.archive.org/web/20210917152050/https://scroll.in/article/991095/why-isnt-the-government-looking-for-the-source-of-modi-assassination-malware-on-rona-wilsons-pc)

[of the more incriminating pieces of evidence obtained by the police,](https://web.archive.org/web/20210917152050/https://scroll.in/article/991095/why-isnt-the-government-looking-for-the-source-of-modi-assassination-malware-on-rona-wilsons-pc)

[was one of many files delivered via a NetWire RAT remote session that](https://arsenalexperts.com/persistent/resources/pages/BK-Case-Rona-Wilson-Report-I.zip)

we associate with ModifiedElephant. [Further analysis showed how](https://arsenalexperts.com/persistent/resources/pages/BK-Case-Surendra-Gadling-Report-III.zip)

ModifiedElephant was performing nearly identical evidence creation

and organization across multiple unrelated victim systems within

roughly fifteen minutes of each other.

### INCUBATOR KEYLOGGER

Known victims have also been targeted with keylogger payloads stretching

[as far back as 2012 (0a3d635eb11e78e6397a32c99dc0fd5a). These](https://www.virustotal.com/gui/file/d780446e89cb71d5346ac7a389266c15b0c0d5c42e46c7a88003f93aab2ba8b5)

keyloggers, packed at delivery, are written in Visual Basic and are not

the least bit technically impressive. Moreover, they’re built in such a

brittle fashion that they no longer function.

The overall structure of the keylogger is fairly similar to code openly

shared on [Italian hacking forums in 2012. The ModifiedElephant](https://italianhack.forumfree.it/?t=63131534)

variant creates a hidden window titled ‘cssrs incubator’ along with

_SetWindowsHookEx to monitor for keystrokes. It registers the mutex_


-----

[“4oR_$$$tonelsu-mviiLempel-Ziv” and uses the VBScript to WMI connector to query for the victim](https://docs.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-with-vbscript)

system’s MAC address and operating system. The malware eventually exfiltrates the logs under

the header “Logs from <COMPUTERNAME>” via email.

Fig 3: Log upload format string

In some ways, the Incubator keylogger is far more brittle than the code referenced above as it

relies on specific web content to function (that code is no longer available on the internet at the

time of writing). For example, the keylogger will use a GET request to an outdated ‘whatismyip.

com’ endpoint in order to get the victim system’s IP.

Fig 4: Outdated WhatIsMyIp endpoint used to check the victim’s IP

Similarly, in order to exfiltrate the logs, the keylogger pulls Microsoft schema templates to set up

an SMTP server and push out the content using a hardcoded (but obfuscated) email address. None

of the schema sites requested by the keylogger are available at the time of writing, rendering the

keylogger (in its 2012 form) unable to function.

Fig 5: Incubator keylogger using Microsoft schema templates to create an SMTP server


-----

The keylogger makes use of hardcoded SMTP credentials and email addresses to deliver the logged

keystrokes to attacker controlled accounts, including:

**Email** **Associated Sample**

chiragdin3@gmail.com 0a3d635eb11e78e6397a32c99dc0fd5a

loggerdata123@gmail.com c095d257983acca64eb52979cfc847ef

0a3d635eb11e78e6397a32c99dc0fd5a
56d573d4c811e69a992ab3088e44c268

maalhamara@gmail.com 1396f720bc7615385bc5df49bbd50d29

d883399966cb29c7c6c358b7c9fdb951
eff9b8e1ee17cd00702279db5de39a3c

0db49f572bb1634a4217b5215b1c2c6f

maalhamara2@gmail.com ea324dd1dbc79fad591ca46ead4676a1

fd4902b8a4a4718f5219b301475e81aa

nayaamaal1@yahoo.com 0db49f572bb1634a4217b5215b1c2c6f

nayaamaal122@yahoo.com d883399966cb29c7c6c358b7c9fdb951

nayaamaal2@yahoo.in ea324dd1dbc79fad591ca46ead4676a1

nayaamaal4@yahoo.com 1396f720bc7615385bc5df49bbd50d29

newmaal@yahoo.com fd4902b8a4a4718f5219b301475e81aa

shab03@indiatimes.com c095d257983acca64eb52979cfc847ef

tamizhviduthalai@gmail.com 1720ae54d8ca630b914f622dcf0c1878

tryluck222@gmail.com 56d573d4c811e69a992ab3088e44c268

volvoxyz123@gmail.com ef42dc2b27db73131e1c01ca9c9c41b6

The keylogger samples also contain VBP and PDB paths, providing some potential context to their

originating development environments.

In some cases, the attacker conducted multiple unique phishing attempts with the same payloads

across one or more targets. However, ModifiedElephant generally conducts each infection attempt

with new malware samples.


-----

### ANDROID TROJAN

ModifiedElephant also sent multiple phishing emails containing both NetWire and Android malware

payloads at the same time. The Android malware is an unidentified commodity trojan delivered as

[an APK file (0330921c85d582deb2b77a4dc53c78b3). While the Android trojan bears marks of](https://www.virustotal.com/gui/file/4dbb14ff2836733b34594956c4234d2a54c04257710dd31a0884b1926d35d7bc)

being designed for broader cybercrime, its delivery at the same time as ModifiedElephant Netwire

samples indicates that the same attacker was attempting to get full coverage of the target on both

endpoint and mobile.

Fig 6: ModifiedElephant Phishing email with malicious
attachments for Netwire and Android GM Bot variants.

Fig 7: ModifiedElephant Phishing email with malicious
attachments for Netwire and Android GM Bot variants.

The trojan enables the attackers to intercept and manage SMS and call data, wipe or unlock the

device, perform network requests, and remote administration. In a very basic form, the trojan

provides the attackers with an ideal low-cost mobile surveillance toolkit.


-----

### RELATIONS TO OTHER THREAT CLUSTERS

Our research into this threat actor reveals multiple interesting threads that highlight the complex

nature of targeted surveillance and tasking, where multiple actors swoop in with diverse mechanisms

to track the same group of individuals. These include private sector offensive actors (PSOAs) and

groups with possible commercial facades to coordinate their illicit activities.

Based on our analysis of ModifiedElephant, the group operates in an overcrowded target space and

may have relations with other regional threat actors. From our visibility, we can’t further disambiguate

the shape of that relationship–whether as part of an active umbrella organization, cooperation and

sharing of technical resources and targets across threat groups, or simply coincidental overlaps.

Some interesting overlaps are detailed below.

  - Multiple individuals targeted by ModifiedElephant over the years have also been either targeted

[or confirmed infected with mobile surveillance spyware. Amnesty International identified NSO](https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/)

Group’s Pegasus being used in targeted attacks in 2019 against human rights defenders related

to the Bhima Koregaon case. Additionally, the Bhima Koregaon case defendant Rona Wilson’s

[iPhone was targeted with Pegasus since 2017 based on a digital forensics analysis of an iTunes](https://arsenalexperts.com/persistent/resources/pages/BK-Case-Rona-Wilson-Report-IV.zip)

backup found in the forensic disk images analyzed by Arsenal Consulting.

  - Between February 2013 and January 2014 one target, Rona Wilson, received phishing

emails that can be attributed to the SideWinder threat actor. The relationship between

ModifiedElephant and SideWinder is unclear as only the timing and targets of their phishing

emails overlap within our dataset. This could suggest that the attackers are being provided with

[similar tasking by a controlling entity, or that they work in concert somehow. SideWinder is a](https://github.com/malwarekiwi/Public-Content/raw/master/Global%20Perspective%20of%20the%20SideWinder%20APT.pdf)

[threat actor targeting government, military, and business entities primarily throughout Asia.](https://github.com/malwarekiwi/Public-Content/raw/master/Global%20Perspective%20of%20the%20SideWinder%20APT.pdf)

[• ModifiedElephant phishing email payloads (b822d8162dd540f29c0d8af28847246e) share](https://www.virustotal.com/gui/file/828de55ffbfb1c1b6ffcbb56b838486dbaecc9b41a0d111fcca290978ed05e95)

[infrastructure overlaps (new-agency[.]us) with Operation Hangover. Operation Hangover includes](https://web.archive.org/web/20210226131047/https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/NS-Unveiling-an-Indian-Cyberattack-Infrastructure_FINAL_Web.pdf)

surveillance efforts against targets of interest to Indian national security, both foreign and

domestic, in addition to industrial espionage efforts against organizations around the world.

  - Another curious finding is the inclusion of the string “Logs from Moosa’s” found in a keylogger sample

[closely associated with ModifiedElephant activity in 2012 (c14e101c055c9cb549c75e90d0a99c0a).](https://www.virustotal.com/gui/file/b665efe9b3dd575e17631146706d6a950d642aa7b7401ac794480c2bb557594c)

[The string could be a reference to Moosa Abd-Ali Ali, the Bahrain activist targeted around the](https://www.theverge.com/2015/1/21/7861645/finfisher-spyware-let-bahrain-government-hack-political-activist)

[same time, with FinFisher spyware. Without greater information, we treat this as a low confidence](https://www.theverge.com/2015/1/21/7861645/finfisher-spyware-let-bahrain-government-hack-political-activist)

conjecture in need of greater research.


-----

### ATTRIBUTION

Attributing an attacker like ModifiedElephant is an interesting challenge. At this time, we possess

significant evidence of what the attacker has done over the past decade, a unique look into who

they’ve targeted, and a strong understanding of their technical objectives.

We observe that ModifiedElephant activity aligns sharply with Indian state interests and that there

is an observable correlation between ModifiedElephant attacks and the arrests of individuals in

controversial, politically-charged cases.

### CONCLUSION

The Bhima Koregaon case has offered a revealing perspective into the world of a threat actor willing

to place significant time and resources into seeking the disruption of those with opposing views.

Our profile of ModifiedElephant has taken a look at a small subset of the total list of potential

targets, the attackers techniques, and a rare glimpse into their objectives. Many questions about

this threat actor and their operations remain; however, one thing is clear: Critics of authoritarian

governments around the world must carefully understand the technical capabilities of those who

would seek to silence them.


-----

### INDICATORS OF COMPROMISE


-----

-----

-----

-----

-----

### TECHNICAL REFERENCES

1 : [h t t p s : // w w w. a m n e s t y. o r g /e n / l a t e s t / r e s e a r c h / 2 0 2 0 / 0 6 / i n d i a -](https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/)
[h u m a n - r i g h t s - d e f e n d e r s - t a r g e t e d - b y - a - c o o r d i n a t e d - s p y w a r e -](https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/)
[o p e r a t i o n / [ A r c h i v e d ]](https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/)

2 : [h t t p s : //a r s e n a l e x p e r t s . c o m / p e r s i s t e n t / r e s o u r c e s / p a g e s / B K - C a s e -](https://arsenalexperts.com/persistent/resources/pages/BK-Case-Rona-Wilson-Report-I.zip)
[R o n a - W i l s o n - R e p o r t - I . z i p [ A r c h i v e d ]](https://arsenalexperts.com/persistent/resources/pages/BK-Case-Rona-Wilson-Report-I.zip)

3 : [h t t p s : //a r s e n a l e x p e r t s . c o m / p e r s i s t e n t / r e s o u r c e s / p a g e s / B K - C a s e -](https://arsenalexperts.com/persistent/resources/pages/BK-Case-Rona-Wilson-Report-II.zip)
[R o n a - W i l s o n - R e p o r t - I I . z i p [ A r c h i v e d ]](https://arsenalexperts.com/persistent/resources/pages/BK-Case-Rona-Wilson-Report-II.zip)

4 : [h t t p s : //a r s e n a l e x p e r t s . c o m / p e r s i s t e n t / r e s o u r c e s / p a g e s / B K - C a s e -](https://arsenalexperts.com/persistent/resources/pages/BK-Case-Surendra-Gadling-Report-III.zip)
[S u r e n d r a - G a d l i n g - R e p o r t - I I I . z i p [ A r c h i v e d ]](https://arsenalexperts.com/persistent/resources/pages/BK-Case-Surendra-Gadling-Report-III.zip)

5 : [h t t p s : //a r s e n a l e x p e r t s . c o m / p e r s i s t e n t / r e s o u r c e s / p a g e s / B K - C a s e -](https://arsenalexperts.com/persistent/resources/pages/BK-Case-Rona-Wilson-Report-IV.zip)
[R o n a - W i l s o n - R e p o r t - I V. z i p [ A r c h i v e d ]](https://arsenalexperts.com/persistent/resources/pages/BK-Case-Rona-Wilson-Report-IV.zip)

6 : [h t t p s : // w e b . a r c h i v e . o r g / w e b / 2 0 2 1 0 2 2 6 1 3 1 0 4 7/ h t t p s : // p a p e r.](https://web.archive.org/web/20210226131047/https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/NS-Unveiling-an-Indian-Cyberattack-Infrastructure_FINAL_Web.pdf)
[s e e b u g . o r g / p a p e r s /A P T/A P T _ C y b e r C r i m i n a l _ C a m p a g i n / 2 0 1 3 / N S -](https://web.archive.org/web/20210226131047/https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/NS-Unveiling-an-Indian-Cyberattack-Infrastructure_FINAL_Web.pdf)
[U n v e i l i n g - a n - I n d i a n - C y b e r a t t a c k - I n f r a s t r u c t u r e _ F I N A L _ We b . p d f](https://web.archive.org/web/20210226131047/https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/NS-Unveiling-an-Indian-Cyberattack-Infrastructure_FINAL_Web.pdf)

7 : [h t t p s : //a r c h i v e . o r g /d o w n l o a d / u n v e i l i n g - a n - i n d i a n - c y b e r a t t a c k -](https://archive.org/download/unveiling-an-indian-cyberattack-infrastructure-appendixes/Unveiling%20an%20Indian%20Cyberattack%20Infrastructure%20-%20appendixes.pdf)
[i n f r a s t r u c t u r e - a p p e n d i x e s / U n v e i l i n g % 2 0 a n % 2 0 I n d i a n % 2 0](https://archive.org/download/unveiling-an-indian-cyberattack-infrastructure-appendixes/Unveiling%20an%20Indian%20Cyberattack%20Infrastructure%20-%20appendixes.pdf)
[C y b e r a t t a c k % 2 0 I n f r a s t r u c t u r e % 2 0 - % 2 0 a p p e n d i x e s . p d f](https://archive.org/download/unveiling-an-indian-cyberattack-infrastructure-appendixes/Unveiling%20an%20Indian%20Cyberattack%20Infrastructure%20-%20appendixes.pdf)

8 : [h t t p s : //g i t h u b . c o m / m a l w a r e k i w i / P u b l i c - C o n t e n t / r a w/ m a s t e r/](https://github.com/malwarekiwi/Public-Content/raw/master/Global%20Perspective%20of%20the%20SideWinder%20APT.pdf )
[G l o b a l % 2 0 P e r s p e c t i v e % 2 0 o f % 2 0 t h e % 2 0 S i d e W i n d e r % 2 0 A P T. p d f](https://github.com/malwarekiwi/Public-Content/raw/master/Global%20Perspective%20of%20the%20SideWinder%20APT.pdf )


-----

## ABOUT SENTINELLABS

InfoSec works on a rapid iterative cycle where new discoveries occur daily and authoritative
sources are easily drowned in the noise of partial information. SentinelLabs is an open venue
for our threat researchers and vetted contributors to reliably share their latest findings with a
wider community of defenders. No sales pitches, no nonsense. We are hunters, reversers, exploit
developers, and tinkerers shedding light on the world of malware, exploits, APTs, and cybercrime

across all platforms. SentinelLabs embodies our commitment to sharing openly –providing tools,

context, and insights to strengthen our collective mission of a safer digital life for all.


-----