# Watering hole” threat analysis in the government sector of Kazakhstan **tntsecure.kz/en/article_7.html** While studying the threat landscape of Kazakhstan as a part of the Threat Intelligence phase, T&T Security experts discovered the so-called Razy malware family. The investigated samples of the Razy family apparently were used to infect users in the form of a Trojan downloader masquerading as a regular office document (Word, Excel and Adobe PDF). Attackers usually spread Razy using a “Watering hole” attack. The “Watering hole” is an attack where attackers locate malware on a legitimate, possibly previously hacked, site visited by a potential victim. Thus the attacker achieves the trustworthiness effect since the link to the malicious file will likely be on a victim’s list of trusted sites. Two of the analysed cases caught our sharp attention, in which the attackers spread the malware using the watering hole attack on the e-government portal (egov.kz). Malicious links: hxxps://legalacts.egov.kz/application/downloadnpa?id=5322314 hxxps://budget.egov.kz/budgetfile/file?fileId=1520392 At the same time, the second malicious Razy sample (at budget.egov.kz) was still available for download on the site at the time of detection. The files are the same malicious Razy Trojan downloader. We assume that cybercriminals published the malicious software under the pretence of office documents by gaining access to uploading files to the legalacts.egov.kz and budget.egov.kz. The first document is a resolution of the district administration. The second, created in 2021, is a financial summary of the administration's budget. That implies the attacker posted the Razy malware in 2021, accordingly. We assume that these attacks targeted specific companies that may be using these documents. And most likely, the attackers did not aim for the mass attack on the citizens of Kazakhstan, and the public exposure of the samples themselves is most likely a side effect. The rest of the Razy samples are also documents of different kinds, e.g. the resolution of the district administration. That means cybercriminals look for the documents suitable for the victim and embed them into the final malicious file. One should note, by the time of publication, the malware control server (C&C server) has already been disabled, and that is currently, these samples cannot load any additional malicious functionality. ----- Together with the accountable employees of Zerde National Information & Communication Holding JSC, the T&T Security team worked to detect the Razy related incidents and block the caused spreading of malicious content. tLab successfully detects and blocks this threat, which can be seen in the video below. tLab works on the principle of zero trust based on deep behavioral analysis, and high throughput allows you to analyze tens of thousands of files per day without filters and whitelisting, then our solution effectively blocks such threats even using an attack at the watering hole. Since tLab is used as part of the Cyber Shield of the Republic of Kazakhstan, we can say that the state is ready to repel such threats. ## Samples technical analysis Razy, first spotted in 2015, has been used for attacks to these days. Below is a diagram of how Razy works. One can see that when a user launches a sample, a malicious payload gets activated, and an actual legitimate document embedded in malware pops up. T&T Security monitored the monthly amounts of Razy malware samples found on Virustotal and discovered a sharp increase in May 2021. Most of the detected malware samples to target Kazakhstan belong to the same period. That is, the embedded documents come from the Kazakh institutions. ----- Razy stats from alienvault.com (2015 - 2019) Razy stats from alienvault.com (2020) ----- Razy stats from alienvault.com (2021) We researched the following files. 2 6>10 @CA.exe SHA256: 20f7a8258f83862ae6638a6bd1ad0bc83d40928a89eb40c720934db9b65f4bec эльвира отчет.exe SHA256: b06e65a0009ae771566db075c0f5850799977b4a982d7d6a63565a184be60796 Отчёт по практике.exe SHA256: 219c44420a95370a22ef806244033c2a21e94b7500fc780fc8e4f25183f745bc 24160712_ExSteppeEagle_INTSUM_S2_160X_E_O.exe SHA256: 2F6C1C2C4043CA6D19ADDD60FA85A5AD6D347075E73AE1E1DCB76D5CC5224573 eastmere vil.exe SHA256: 7615E69D6FA11FC851C4CD10DDEE3820ACFC6170578C61AE74B6D4FD8EA71E10 OWNSITREP 241700AJUL16 G3.exe SHA256: 8FA473C03850B22C2C6AADCFE69268BE4E4C7A33881581FEA83789755AF8F22A ----- 61c98d12-06b1-4f5d-9c12-ace5630dcc07 SHA256: 3ED1B88C9AE34BA4FFBF8AED737F2DC9A0AEDEEDF8D2A4A69555518845E16264 The identical PDB file paths and the timestamps found in all six samples indicate they were all created by a single “MultiLauncher” tool. PE file characteristics: Most of the samples contain a document displayed to the user in resource number 200. ----- The samples contain icon sets for all types of documents. The final file uses one of the types. That leaves us with a conclusion the creators were using one tool and were choosing the required document type in the final build. There are Razy builds that do not contain malicious documents: 1f35ce5d620f4eddbfbff5fd1b6142b002bb6a537b864d7745d96ddfd8424bd6 3a050db9c571eafd5b1dccb412991434bd0a0fc52c4771274018420a08af4c00 That explains that the attacker always looks for the “right” documents before embedding them into the final file. The resource can be a PDF file also. ----- Usually, Razy is an EXE file with an office document icon. ----- The actual file extension Most of the time, the attackers set up an office document icon for an executable file to mislead the user. When the user launches a file, he sees an opened office document, and a malicious EXE file will perform other operations. SHA256:219c44420a95370a22ef806244033c2a21e94b7500fc780fc8e4f25183f745bc ----- SHA256:b06e65a0009ae771566db075c0f5850799977b4a982d7d6a63565a184be60796 SHA256:20f7a8258f83862ae6638a6bd1ad0bc83d40928a89eb40c720934db9b65f4bec ----- SHA256:2F6C1C2C4043CA6D19ADDD60FA85A5AD6D347075E73AE1E1DCB76D5CC5224573 ----- SHA256:8FA473C03850B22C2C6AADCFE69268BE4E4C7A33881581FEA83789755AF8F22A ----- SHA256:3ED1B88C9AE34BA4FFBF8AED737F2DC9A0AEDEEDF8D2A4A69555518845E16264 All objects have the same functionality but different office documents. Since all of the samples are just variants of the same family, consider one of them. 20f7a8258f83862ae6638a6bd1ad0bc83d40928a89eb40c720934db9b65f4bec This object is an EXE file with an icon of a Word document. At a closer look, one can conclude, it is a dropper for office documents. ----- Summary of the object in the tLab system: Launching the EXE file will result in a regular office document hiddenly located in the current folder. Created hidden office document The malicious file contains office document in its resources (DATA - 200): ----- The first bytes of the file in the resources determine the type of the embedded document. In this case, the “4B 03 04 14 00 06 00 08 00” signature corresponds with the Microsoft Office Open XML Format. When launched, the Razy malware detects the type of displayed document given the information from the resource number 300 (0x12C): ----- The resource containing real extension of the file Next, the reading of the original office document from the resource number 200 (0x0C8) begins, using the FindResource, LoadResource, LockResource, SizeOfResource functions: ----- Functions for working with resources ----- Code for working with resources under the DATA identifier In the tLab sandbox, when uploading a file, one can see a potential threat indicator: The result of static analysis on the tLab system A malicious file opens a created document in Word using the ShellExecuteW function: ----- The ShellExecute function opens the passed file in a program associated with specific extensions. For example, if the file has the DOCX extension, it will be opened by the program registered to open such files (in our case, Microsoft Word). The T&T Security sandbox also builds a graph of the dynamic behaviour of an object: A detailed report on the tLab system The Word document does not contain any macros and is not malicious, according to the initial analysis. Presumably, the purpose of opening an office document is to conceal malicious activity. At the same time, the malicious file creates a copy of itself in the APPDATA \ RAC folder under the name mls.exe: ----- Detection in tLab system One can also observe this activity through the system call logs Next, mls.exe sets itself to startup in the registry with the -s parameter: ----- Autoload indication on the tLab system The file is present in the AutoStartup section of the T&T Security forensics tool Malicious file at autorun in T&T Security forensics tool After rebooting, mls.exe will run with the -s option The condition for the file restart After starting with the -s parameter, it calls the addresses hxxp: //wxanalytics.ru/net.exe.config and hxxp: //wxanalytics.ru/net.exe ----- PCAP file content view on the tLab system The file can run with the -cs and -cc options. In this case, it takes the location path for the original malicious file. Handling the -cs parameter Handling the -cc parameter ----- File moving code By looking at the list of malicious files that have accessed the same addresses, we will see they have different names. List of malicious files accessing vwanalytics.ru Attackers often name malicious files based on the area of interest of potential victims. Several samples of malicious files on this list were uploaded documents to legalacts.egov.kz and budget.egov.kz. As previously noted, this type of attack is called a watering hole attack. Malicious links: ----- hxxps://budget.egov.kz/budgetfile/file?fileId=1520392 hxxps://legalacts.egov.kz/application/downloadnpa?id=532231 The files are the same old malicious Razy downloader Trojan. We assume that cybercriminals published malicious software under the guise of DOCX by gaining access to uploading files to the legalacts.egov.kz site. As of May 11, 2021, only a few well-known anti-viruses identified the object, while none of them could detect the link to the object itself as malicious. ## Conclusion These days even an ordinary user can unravel such techniques as hiding files and faking the icons. The malicious Trojan downloader itself is not packed in any way to stay undetected by the antivirus signature. The file creation date indicates the use of old-style malware. The hash sums of the studied samples (without resources) coincide with so many other files seen in similar attacks. All this suggests that the attackers, in this case, used quite an old malware, changing only the office document displayed to the user, which indicates the low qualifications of the attacker. Regardless, the Razy Trojan still poses a live threat and uses actual white papers. -----