Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Hardcore Nationalist group SideWinder is a threat group active since 2012 according to Kaspersky. This group mainly targets Pakistanis and Chinese military & government entities’ windows machines. They also target mobile phone devices. This is the second time this group is using COVID-19 theme to lure victims, thereby capitalizing on the fear of global pandemic. Sidewinder aka HN2 is believed to be an Indian state sponsored group. A detailed analysis of SideWinder attacks on Pakistani military officials was also published in April.
Property | Value |
File Name | OnlinePolicyGuide.pdf |
File Type | |
File Info | PDF document, version 1.5 |
File Size | 102.70 KB (105160 bytes) |
MD5 | 8ae9cc797c2f3ec3eca3b54a2e70edf1 |
SHA-1 | 6c878840bd899936974a0364a2297b658beaeda9 |
SHA-256 | 65c42fef3df4a2b4974e9a1c907fa79b6c2cd96406c309b0963f358fc4a7c23a |
Virus Total Score | 0/61 |
Hybrid Analysis Score | More than 10% Risk Factor |
Property | Value |
File Name | file.hta |
File Type | HTML executable file |
File Info | HTML document ASCII text |
File Size | 322.46 KB (330200 bytes) |
MD5 | 30398787041EFA25E1632A29D4F7730B |
SHA-1 | 6B0B86897990A254F2FE4C6DF869A1276F10B407 |
SHA-256 | 36b653ede8d68fbb9a9343507aa437125e5915655fe12763dbb109c97bed617b |
Virus Total Score | 3/60 |
Hybrid Analysis Score | More than 16% Risk Factor |
Property | Value |
File Name | rekeywiz.exe |
File Type | Win32 EXE |
File Info | PE32 executable for MS Windows (GUI) Intel 80386 32-bit |
File Size | 322.46 KB (330200 bytes) |
MD5 | 082ed4a73761682f897ea1d7f4529f69 |
SHA-1 | 4f77bda9714d009b16e6a13f88b3e12caf0a779d |
SHA-256 | fa86b5bc5343ca92c235304b8dcbcf4188c6be7d4621c625564bebd5326ed850 |
Virus Total Score | 0/70 |
Hybrid Analysis Score | More than 10% Risk Factor |
As per the analysis of the file received by the Air University Online Teaching Intimation, the artifacts found belong to a well-known Indian SideWinder APT group. This APT group has been working in the interest of Indian government, targeting Pakistani government officials through their latest campaign with a decoy document related to online teaching during COVID-19 pandemic.
Figure 2: Dependency Flow of Malware File
Figure 3: Malware File Basic Properties
The following characteristics were found during the analysis:
”http://www.au-edu.km01s.net/cgi/8ee4d36866/16914/11662/eeef4361/file[.]hta.
After reviewing the PCAP file as shown below:
a) As per the source code review of .HTA file, it was found that the file contains JavaScript obfuscated code with the encoding of base 64. In order to de-obfuscate the source code, we have to decode the encoded parameters first.
i) First, we decoded the key value, to decode the completely obfuscated code parameters.
b) After decoding the key value, we get the ASCII String “3110648411” in strings from the following line:
c) Now we can use the main key to decode the whole parameters of this JavaScript code. After using the key, we move towards the decoding of Var X Function encoded parameters.
We have found the URL http://www.au-edu.km01s.net/plugins/16914/11662/true/true[/] which means this hta file is also trying to communicate on the suspicious link and the line in the encoded format is defined below:
d) On further decoding from the code we have found that this file is intended to create another process instance in line mentioned below
e) After observing the above characteristics, we have searched for the exact file parameters. We found that the source file tried to create another file in the directory of “temp” with an anonymous name having the extension of .hta with the usage of mshta.exe process. As you can see in the hex view of decoded parameter taken from the line of Var SO:
f) The same hex value is found with another process i.e. intended to drop in the directory after its creation as shown in the image below:
g) In addition, after some other lines we have found that there is another process “csc.exe” is called in the parameter, which is used to perform CLI based compilation.
h) It also uses “ActiveXObject” utility to help in its execution through Microsoft products and internet browsers. The ActiveXObject object is used to create instances of OLE Automation objects in Internet Explorer on Windows operating systems. Several applications (Microsoft Office Word, Microsoft Office Excel, Windows Media Player, etc) provide OLE Automation objects to allow communication with them.
Hence, It was identified that the attacker used multiple obfuscation techniques, which are techniques used by attackers to hide the attack, to avoid detection and to make it difficult to decode the key string and actual payload and command instruction.
Following are the dependencies observed in the malware code and required user interaction for execution.
Following is the complete process-working graph for this attack.
Following are the behavior of the malicious files,
In the background, it makes a connection with a suspicious IP Address “185.163.45.199” to download .hta & Payload.
Registry | Value |
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\rekeywiz_RASAPI32 | %windir%\tracing |
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\rekeywiz_RASMANCS | 0 |
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\rekeywiz_RASMANCS | 0 |
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\rekeywiz_RASMANCS | 4294901760 |
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\rekeywiz_RASMANCS | 1048576 |
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\rekeywiz_RASMANCS | %windir%\tracing |
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\rekeywiz_RASAPI32 | 1048576 |
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\rekeywiz_RASAPI32 | 4294901760 |
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\rekeywiz_RASAPI32 | 4294901760 |
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\rekeywiz_RASAPI32 | 0 |
As already shown in the above screenshot, registry changes will surely occur when rekeywiz.exe drops in the system and executes itself for intentional damage.
By reviewing the logs, in the directory “C:\WINDOWS\tracing” and the log file name as “rekerywiz_RASAPI32.log” and “rekeywiz_RASMANC.log”, we find that the first log file is generated and as the malware was not properly executed in the sandbox environment created for analysis so it does not show plenty of information. Furthermore, you can also get information from these log files defined below:
In order to remediate following points are defined below:
Beware of social engineering techniques employed by cyber criminals—including strategies used in phishing emails, impersonated calls, and fraudulent businesses and domains— to identify and respond to a suspected compromise.
The above analysis is performed in a controlled environment in Rewterz Threat Intelligence Labs. In case you have any malware samples/binaries that need to be analyzed, Rewterz is here to help.
It is concluded after in-depth analysis that a malicious pdf file attempts to connect to a random public IP address to download other supporting components of malware in the form of .hta extension file. This file .hta is actually playing the dropper role in this infection cycle, which generates calls to download malicious executable (rekeywiz.exe). The core components of this malware are file.hta and rekeywiz.exe. Rekeywiz.exe encrypts the system files if the .net framework existence fulfills the dependency of file.hta