 [(/connect/)](http://www.symantec.com/connect/)  [Blogs (/connect/blogs)](http://www.symantec.com/connect/blogs)  [Security Response (/connect/symantec-blogs/symantec-security-response)](http://www.symantec.com/connect/symantec-blogs/symantec-security-response) #  Security Response  (https://twitter.com/threatintel)  (http://www.symantec.com/connect/item-feeds/blog/2261/feed/all/en/all) ### +2 2 Votes ##### Symantec O�cial Blog ## Indian organizations targeted in Suck�y attacks #### Suck�y conducted long-term espionage campaigns against government and commercial organizations in India. By: **[Jon_DiMaggio (/connect/user/jondimaggio)](http://www.symantec.com/connect/user/jondimaggio)** Created 17 May 2016 [] [0 Comments]  2  33  **SYMANTEC EMPLOYEE** [ (http://en-us.reddit.com/submit?url=http://www.symantec.com/connect/blogs/indian-](http://en-us.reddit.com/submit?url=http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks) organizations-targeted-suck�y-attacks) [ (/connect/forward?path=node/unde�ned)](http://www.symantec.com/connect/forward?path=node/undefined) **Like** 0 ----- that conducted attacks against a number of South Korean organizations to steal digital certi�cates. Since then we have identi�ed a number of attacks over a two-year period, beginning in April 2014, which we attribute to Suck�y. The attacks targeted high-pro�le targets, including government and commercial organizations. These attacks occurred in several di�erent countries, but our investigation revealed that the primary targets were individuals and organizations primarily located in India. While there have been several Suck�y campaigns that infected organizations with the group’s custom malware Backdoor.Nidiran (https://www.symantec.com/security_response/writeup.jsp?docid=2015 120123-5521-99), the Indian targets show a greater amount of post-infection activity than targets in other regions. This suggests that these attacks were part of a planned operation against speci�c targets in India. **Campaign activity in India** The �rst known Suck�y campaign began in April of 2014. During our investigation of the campaign, we identi�ed a number of global targets across several industries who were attacked in 2015. Many of the targets we identi�ed were well known commercial organizations located in India. These organizations included: One of India's largest �nancial organizations A large e-commerce company The e-commerce company's primary shipping vendor One of India's top �ve IT �rms A United States healthcare provider's Indian business unit Two government organizations Suck�y spent more time attacking the government networks compared to all but one of the commercial targets. Additionally, one of the two government organizations had the highest infection rate of the Indian targets. Figure 1 shows the infection rate for each of the targets. ----- Figure 1. Infection rates of Indian targets Indian government org #2 is responsible for implementing network software for di�erent ministries and departments within India's central government. The high infection rate for this target is likely because of its access to technology and information related to other Indian government organizations. Suck�y's attacks on government organizations that provide information technology services to other government branches is not limited to India. It has conducted attacks on similar organizations in Saudi Arabia, likely because of the access that those organizations have. Suck�y's targets are displayed in �gure 2 by their industry, which provides a clearer view of the group’s operations. Most of the group's attacks are focused on government or technology related companies and organizations. ----- Figure 2. Suck�y victims, by industry **Suck�y attack lifecycle** One of the attacks we investigated provided detailed insight into how Suck�y conducts its operations. In 2015, Suck�y conducted a multistage attack between April 22 and May 4 against an e-commerce organization based in India. Similar to its other attacks, Suck�y used the Nidiran back door along with a number of hacktools to infect the victim's internal hosts. The tools and malware used in this breach were also signed with stolen digital certi�cates (http://www.symantec.com/connect/blogs/keeping your-code-signing-certi�cate-straight-and-narrow). During this time the following events took place: ----- Figure 3. Suck�y attack lifecycle 1. Suck�y's �rst step was to identify a user to target so the attackers could attempt their initial breach into the e-commerce company's internal network. We don't have hard evidence of how Suck�y obtained information on the targeted user, but we did �nd a large open-source presence on the initial target. The target's job function, corporate email address, information on work related projects, and publicly accessible personal blog could all be freely found online. 2. On April 22, 2015, Suck�y exploited a vulnerability on the targeted employee's operating system (Windows) that allowed the attackers to bypass the User Account Control and install the Nidiran back door to provide access for their attack. While we know the attackers used a custom dropper to install the back door, we do not know the delivery vector. Based on the amount of open-source information available on the target, it is feasible that a spear-phishing email may have been used. 3. After the attackers successfully exploited the employee’s system, they gained access to the e commerce company's internal network. We found evidence that Suck�y used hacktools to move latterly and escalate privileges. To do this the attackers used a signed credential-dumping tool to obtain the victim's account credentials. With the account credentials, the attackers were able to access the victim's account and navigate the internal corporate network as though they were the employee. ----- with port 40 open because there isn't a common protocol assigned to this port. Based on Suck�y scanning for common ports, it’s clear that the group was looking to expand its foothold on the e commerce company's internal network. 5. The attackers’ �nal step was to ex�ltrate data o� the victim’s network and onto Suck�y’s infrastructure. While we know that the attackers used the Nidiran back door to steal information about the compromised organization, we do not know if Suck�y was successful in stealing other information. These steps were taken over a 13-day period, but only on speci�c days. While tracking what days of the week Suck�y used its hacktools, we discovered that the group was only active Monday through Friday. There was no activity from the group on weekends. We were able to determine this because the attackers’ hacktools are command line driven and can provide insight into when the operators are behind keyboards actively working. Figure 4 shows the attackers’ activity levels throughout the week. Figure 4. Signed hacktools in use against targets, by day This activity supports our theory, mentioned in the previous Suck�y blog (http://www.symantec.com/connect/blogs/suck�y-revealing-secret-life-your-code-signing-certi�cates), that this is a professional organized group. **Suck�y's command and control infrastructure** Suck�y made its malware di�cult to analyze to prevent their operations from being detected. However, we were able to successfully analyze Suck�y malware samples and extract some of the ----- We analyzed the dropper, which is an executable that contains the following three �les: 1. dllhost.exe: The main host for the .dll �le 2. iviewers.dll: Used to load encrypted payloads and then decrypt them 3. ms�ed: The encrypted payload All three �les are required for the malware to run correctly. Once the malware has been executed, it checks to see if it has a connection to the internet before running. If the connection test is successful, the malware runs and attempts to communicate with the C&C domain over ports 443 and 8443. In the samples we analyzed we found the port and C&C information encrypted and hardcoded into the Nidiran malware itself. The Nidiran back door made the following initial communication request to the Suck�y C&C domain: GET /gte_ok0/logon.php HTTP/1.1 Accept: */* Accept-Encoding: gzip, de�ate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Host: REDACTED Connection: Keep-Alive **Cookie:** **dfe6=OIAXUNXWn9CBmFBqtwEEPLzwRGmbMoNR7C0nLcHYa+C1tb4fp7ydcZSmVZ1c4akergWcQQ==** The interesting information being transmitted to the C&C server in the initial request is located in the cookie which is comprised of the following: [COOKIE NAME]=[RC4 ENCRYPTED + B64 ENCODED DATA FROM VICTIM] The key for the RC4 encryption in this sample is the hardcoded string “h0le”. Once the cookie data is decoded, Suck�y has the network name, hostname, IP address, and the victim's operating system information. Information about the C&C infrastructure identi�ed in our analysis of Suck�y activity can be seen in Table 1. **Registration** **Domain** **Registration** **IP address** **date** ----- ssl.2upgrades[.]com kumar.pari@yandex[.]com 176.58.96.234 July 5, 2014 bss.pvtcdn[.]com registrar@mail.zgsj[.]com 106.184.1.38 May 19, 2015 ssl.microsoft-security center[.]com Whoisguard Unknown July 20, 2015 August 18, usv0503.iqservs-jp[.]com Domain@quicca[.]com 133.242.134.121 2014 �i.fedora-dns-update[.]com Whoisguard Unknown Unknown Table. Suck�y C&C infrastructure information **Conclusion** Suck�y targeted one of India’s largest e-commerce companies, a major Indian shipping company, one of India’s largest �nancial organizations, and an IT �rm that provides support for India’s largest stock exchange. All of these targets are large corporations that play a major role in India’s economy. By targeting all of these organizations together, Suck�y could have had a much larger impact on India and its economy. While we don't know the motivations behind the attacks, the targeted commercial organizations, along with the targeted government organizations, may point in this direction. Suck�y has the resources to develop malware, purchase infrastructure, and conduct targeted attacks for years while staying o� the radar of security organizations. During this time they were able to steal digital certi�cates from South Korean companies and launch attacks against Indian and Saudi Arabian government organizations. There is no evidence that Suck�y gained any bene�ts from attacking the government organizations, but someone else may have bene�ted from these attacks. The nature of the Suck�y attacks suggests that it is unlikely that the threat group orchestrated these attacks on their own. We believe that Suck�y will continue to target organizations in India and similar organizations in other countries in order to provide economic insight to the organization behind Suck�y's operations. **Protection** Symantec has the following detections in place to protect against Suck�y’s malware: ----- 120123-5521-99) Backdoor.Nidiran!g1 (http://www.symantec.com/security_response/writeup.jsp?docid=2015 120200-0342-99) [Hacktool (http://www.symantec.com/security_response/writeup.jsp?docid=2001-081707-2550-99)](http://www.symantec.com/security_response/writeup.jsp?docid=2001-081707-2550-99) Exp.CVE-2014-6332 (https://www.symantec.com/security_response/writeup.jsp?docid=2014 111313-5510-99) **Intrusion prevention system** Web Attack: Microsoft OleAut32 RCE CVE-2014-6332 (http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=28032) Web Attack: Microsoft OleAut32 RCE CVE-2014-6332 2 (http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27813) Web Attack: Microsoft OleAut32 RCE CVE-2014-6332 4 (http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=70116) Web Attack: OLEAUT32 CVE-2014-6332 3 (http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=28890) System Infected: Trojan.Backdoor Activity 120 (https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=28977)  [Tags: Security (/connect/communities/security), Security Response (/connect/named-blogs/symantec-security-](http://www.symantec.com/connect/communities/security) [response), Endpoint Protection (AntiVirus) (/connect/products/endpoint-protection-antivirus), APT (/connect/blog-](http://www.symantec.com/connect/products/endpoint-protection-antivirus) [tags/apt), Backdoor.Nidiran (/connect/blog-tags/backdoornidiran), Cyberespionage (/connect/blog-tags/cyberespionage),](http://www.symantec.com/connect/blog-tags/backdoornidiran) [espionage (/connect/blog-tags/espionage), India (/connect/blog-tags/india), Suck�y (/connect/blog-tags/suck�y)](http://www.symantec.com/connect/blog-tags/espionage)  Subscriptions (0) (/connect/user/jondimaggio) **[Jon_DiMaggio (/connect/user/jondimaggio)](http://www.symantec.com/connect/user/jondimaggio)**  [View Pro�le (/connect/user/jondimaggio)](http://www.symantec.com/connect/user/jondimaggio) **Login (https://www-secure.symantec.com/connect/user/login?** **destination=node%2F3594731) or Register (https://www-** **secure.symantec.com/connect/user/register?destination=node%2F3594731) to post** **comments.** ----- [(https://www.surveymonkey.com/r/G7KVZWQ)](https://www.surveymonkey.com/r/G7KVZWQ) [Contact Us (/connect/contact)](http://www.symantec.com/connect/contact) [Privacy Policy (http://www.symantec.com/about/pro�le/policies/privacy.jsp)](http://www.symantec.com/about/profile/policies/privacy.jsp) Terms and Conditions (/connect/legal) [Earn Rewards (/connect/points)](http://www.symantec.com/connect/points) Rewards Terms and Conditions (/connect/blogs/symantec connect-rewards-program-terms-and-conditions) © 2016 Symantec Corporation  [(https://twitter.com/symantec)](https://twitter.com/symantec)  [(https://www.facebook.com/Symantec) ](https://www.facebook.com/Symantec) (https://www.linkedin.com/company/symantec) -----