# MALWARE ACTORS USING NIC CYBER SECURITY THEMED SPEAR PHISHING TO TARGET INDIAN GOVERNMENT ORGANIZATIONS

**[2 YEARS AGO • ARTICLES •](https://cysinfo.com/category/articles/)**  37

[This blog post describes an attack campaign where NIC (National Informatics Centre) Cyber Security themed](http://www.nic.in/)

spear phishing email was used to possibly target Indian government organizations. In order to infect the victims,

the attackers distributed spear-phishing email, which purports to have been sent from NIC’s Incident response

team, the attackers spoofed an email id that is associated with Indian Ministry of Defence to send out email to the

victims. Attackers also used the name of the top NIC official in the signature of the email, this is to make it look like

the email was sent by a high ranking Government official working at NIC (National Informatics Centre).

**Overview of the Malicious Email**

The attackers spoofed an email id that associated with Indian Ministry of Defence to send out emails to the

victims. The email was made to look like it was sent from NIC’s Incident response team instructing the recipients

to read the attached documents and to implement the cyber security plan and the signature of the email included


-----

[might have downloaded from (http://meity.gov.in/sites/upload_files/dit/files/Plan_Report_on_Cyber_Security.pdf).](http://meity.gov.in/sites/upload_files/dit/files/Plan_Report_on_Cyber_Security.pdf)

The word document attached in the email contained malicious macro code which when enabled, drops a malware

backdoor, executes it and then sends the system information to the command and control server (C2 Server) and

its also downloads additional components.

From the email (and the attachments shown in the below screenshot) it looks like the goal of the attackers was to

infect and take control of the systems of Cyber Security officers who are responsible for managing and

implementing security controls on the Government network.

The email header consisted of ORCPT (Original-Recipient) header, which had reference to what appears to be a


-----

**Analysis of Word Document Containing Malicious Macro Code**

Once the victim opens the attached word document it prompts the user to enable macro as shown below and the

document also contains instruction on how to enable the macros.


-----

shows a decoy document containing the instructions and guidelines related to cyber security. This is to make the

user believe that is it indeed a document related to cyber security. Below are some of the screen shots showing

the document that will shown to the user once the macro is enabled.


-----

obfuscated (uses obscure variable/function names to make analysis harder) as shown below.

The macro code first calls multiple functions to decode the executable content and then it drops the malicious

executable (WINWORD.exe) in the Startup directory and then executes the dropped file as shown in the below

screen shots.


-----

-----

Once the dropped file is executed by macro code it connects to the command and control server(c2 server) and

to conceal the data sent by the malware, it communicates on port 443 (https) as shown below. The network traffic

pattern will be discussed in detail later.

**Analysis of the Dropped Executable (WINWORD exe)**


-----

This section contains the behavioral analysis of the dropped executable (WINWORD.exe).

The malware when executed creates additional files on the file system, It downloads these files by contacting the

C2 server and saves it on the disk. Since the malware was not allowed to contact the C2 server its not clear about

the functionality of these files. The below screen shots show WINWORD.exe creating an exectuable, VB script and

VBE files. The malware uses WScript.exe to execute the VB scripts.

As mentioned above, malware once executed makes an https connection to the C2 server as shown below.

**C2 Communication Pattern**


-----

connection was intercepted and different network communications were determined.

In the first communication it collects and sends the system information of the infected system to the attacker in

the user-agent field. The user-agent field contains information about the computer name, username and if the

AntiVirus software is installed or not. The malware sends some information in the post data as well, the post data

gives the information about the action that malware will perform. In the below screen shot notice the system

information sent in the user-agent field and also from the post data it can be deduced that the malware

downloads an exe file.

Malware uses similar network communication pattern to download additional files (vbs, vbe, cmd, sc, ext, a3x etc).

Once downloaded these files are saved in either “%LocalAppData%\Temp\WindowsUpdates” folder or in

“%Temp%\WindowsUpdates” folder. During analysis it was determined that the malware used these filenames

(MS015-0012.exe, MS015-0012.vbs, MS015-0012.vbe etc.) to reside in these directories. Below screen shots shows

some of the network communication made by the malware to download files.


-----

**C2 Domain Information**

This section contains details of the C2 domain (webmail[.]duia[.]in). Attackers used the DynamicDNS hostname

(duia is a Dynamic DNS provider) to host the C2 server, this allows the attacker to quickly change the IP address in

real time if the malware C2 server infrastructure is unavailable. The C2 domain currently resolves to an IP address

shown below and the same domain was associated with another IP address previously. Both the IP addresses are

associated with hosting providers as shown in the screen shot below


-----

-----

**Indicators Of Compromise**


-----

Private organizations) to detect and investigate this attack campaign.

**_Dropped Malware Sample:_**

_4dc28faeb77550174b936d9ba97d4679 (WINWORD.exe)_

**_Network Indicators Associated with C2:_**

_webmail[.]duia[.]in_

_hxxps://webmail[.]duia[.]in/webmail.php_

_95[.]23[.]26[.]28_

_185[.]100[.]86[.]174_

**_Host Indicators:_**

_Filenames in the “%Temp%\WindowsUpdates” folder: MS015-0012.exe, MS015-0012.vbs, MS015-0012.vbe_

_Filename WINWORD.exe in the Startup directory_

**Conclusion**

Attackers in this case made every attempt to launch a clever attack campaign by spoofing email address of

Ministry of Defence, they also tried to trick the users to believe the email was sent from NIC’s incident response

team. To make the attack less suspicious they also used a legitimate PDF document in the attachment and used

the name of the top NIC offical in the email signature. The attackers also hosted the C2 server in a Dynamic DNS

provider network. We believe that such attacker groups are likely working to gain long-term access into Indian

Government networks. With India rapidly moving towards digitization and cashless transactions we believe that


-----

NIC s Incident response team.

[Follow us on Twitter: @monnappa22](https://twitter.com/monnappa22) [@cysinfo22](https://twitter.com/cysinfo22)


**SHARE:**


[](http://www.facebook.com/sharer.php?u=https://cysinfo.com/malware-actors-using-nic-cyber-security-themed-spear-phishing-target-indian-government-organizations/)


#### MONNAPPA K A

[](https://twitter.com/monnappa22)


#### 6 COMMENTS

**me**

**November 30, 2016 at 6:29 pm**


**[Reply](https://cysinfo.com/malware-actors-using-nic-cyber-security-themed-spear-phishing-target-indian-government-organizations/?replytocom=150#respond)**


Hi MONNAPPA, nice post. Need a clarification in this regard. duia.in[duia.CC code ] is a DYNDNS facility. How a sub

domain is attributed with the email id [liviu[ ]pislaru@gmail[ ]com] as the attacker?


-----

Excellent Research and Very Informative.

**Srini**

**December 1, 2016 at 10:19 am**


**[Reply](https://cysinfo.com/malware-actors-using-nic-cyber-security-themed-spear-phishing-target-indian-government-organizations/?replytocom=153#respond)**


Good one… Very neatly and nice explained in this article.. Kudos to you for your commendable malware analysis

techniques and for the publish of this article


**divyanshu**

**December 2, 2016 at 9:39 am**

Awesome Research .. It shows how vulnerable the machinery is and creates a demand for a very good cyber

security awareness campaign!!

regards,

Divyanshu

**ateesh rajak**

**December 3, 2016 at 1:48 pm**

nyc writeup

**Ramit**

**December 7, 2016 at 3:35 pm**


**[Reply](https://cysinfo.com/malware-actors-using-nic-cyber-security-themed-spear-phishing-target-indian-government-organizations/?replytocom=155#respond)**


**[Reply](https://cysinfo.com/malware-actors-using-nic-cyber-security-themed-spear-phishing-target-indian-government-organizations/?replytocom=156#respond)**


**[Reply](https://cysinfo.com/malware-actors-using-nic-cyber-security-themed-spear-phishing-target-indian-government-organizations/?replytocom=160#respond)**


If the malware identifies AV running in the host machine is there any change in its behaviour and communication

to C&C? As most of the end points in any private or govt. organisation is likely to run AV(hopefully)!


-----

Comment


Name (required)


E-mail (required)


Website


**POST COMMENT**


**Copyright © 2016 Cysinfo.com. All Rights Reserved**
##     


-----