Advanced Persistent Threat (APT-C-35) group, believed to be based in India, has been observed targeting government and military personnel in Pakistan using spear phishing emails. The threat group has been around for several years, conducting intelligence operations against political and military entities in South Asia. This is a a new round of attacks launched by the APT actor against Pakistani government. It comes as no surprise that cyber attacks against the Pakistan government continue, given the historically tense relations with India in the region and the recent rise of geopolitical tensions. The group has also demonstrated capability of targeting mobile phone users in the past operations. This group has impersonated National Bank of Pakistan while targeting Pakistani businessmen.
However, this isn’t the only attack targeting Pakistani organizations. Recently, SideWinder group was found targeting windows machines and mobile devices in Pakistan and China. Rewterz Threat Intelligence also released a detailed analysis of SideWinder targeting Pakistani Government officials in April.
|File Name||Project Management.xls|
|File Info||MS Excel Spreadsheet|
|File Size||155.00 KB (158720 bytes)|
|Virus Total Score||30/61|
|Hybrid Analysis Score||More than 50% Risk Factor|
A spear phishing campaign initiated by APT-C-35 group was observed targeting Pakistani officials by Rewterz. Our Threat Intelligence team acquired the spear phishing email and found that the email contains an attachment (Microsoft Excel document) portrayed as a legitimate project management document.
As per the detailed analysis of Excel file, it was observed that Excel contains 20 different worksheets and malicious macro codes embedded in it. It was also observed that when victim opens a document, a macro (workbook_open) executes which shows a message box to the victim that ‘Microsoft Excel stopped working’ (Hardcoded in macro). In parallel, it then executes batch file (named as s.bat) which contains step by step instruction of creation of folder and files ‘Temp’ & ‘Appdata’ (Hardcoded in the code). Once created, it then hides files & folder and saves computer name in another file name (agnia) created by attacker in Appdata folder. Once the creation of files & folders is done and attacker has hidden the attributes of the files then it extracts the actual payload dll named as ‘sqmap.dll’ in created directory (Appdata folder).
Upon analysis, it was found that sqmap.dll contains a function named as ‘calldll’ which contains a CnC server address. Attacker then executes sqmap.dll through Rundll32.exe (Microsoft Windows native binary which is used to execute dll) along with its sub function as an argument of dll (sqmap.dll). It initiates a get request connection towards its CnC server through HTTP port 80 hosted in Bulgaria to perform its further activity (Action on objective). Currently it was found that request initiated by infected system toward CnC server contains multiple arguments in the URL parameter and CnC servers currently respond with 404 Error (Page not found). All activity has been performed through batch script which contains line by line instruction and is embedded in macro which creates a batch file named as ‘s.bat’ in ‘APPDATA’ directory.
Following are the characteristics observed in the Excel document when invoked or opened by the victim.
In search of VBA scripting we also found that “This Workbook” sheet contains some sort of scripting which is defined in below points one by one:
A) First we extracted the script which is running in the macros of “This Workbook” sheet and we found that it is creating a message box having an intentional message which is “Microsoft Excel has stopped working”.
B) It is also defined in the script that “S.bat” and “S” files should be dropped in certain folders.
C) In the last line it has been declared that s.bat can initiate https request and after that it should hide itself by using vbhide function.
After exploring the main sheet we broke the main XLS file in to raw strings and then we found another sort of scripting in below points:
A) While looking over the script the creation of schedule task has been observed for gapdat.exe file which exists in the directory of “%USERPROFILE%\Files\Shared\Web\” and this directory doesn’t seem to be legit so it seems that gapdat.exe acts as a dependent file already created in this directory.
B) Moving of the “s” file has been observed in the first line in raw string of scripting of the excel file, which was being moved from %AppData% to Directory “%USERPROFILE%\Viewer\Information\Policy” and after moving, it was found trying to rename the file “s” to “Sqmap.dll” as shown below:
C) Modification of attributes of the folders in which gapdat.exe and sqmap.dll files were found can be noticed. According to the scripting language, the three flags that were used to change the attributes are following “+a”, “+h”, ”+s” which is used to archive, hide and make the folders part of DOS operations.
D) Another creation of scheduled task has been observed that this XLS file is using rundll32.exe process to call sqmap.dll which exists in another unusual directory “%USERPROFILE%\Viewer\Information\Policy”.
[Note: Same thing has been found from the raw form of sqmap.dll]
Following are the dependencies that have been observed in the malware code and required user interaction for execution.
Following is the complete process-working graph for this attack.
Following are the behavior of this malware:
• The file names are “s” and “s.bat”
Visit our Threat Advisory for IoCs.
In order to remediate this, following points are defined below:
Beware of social engineering techniques employed by cyber criminals—including strategies used in phishing emails, impersonated calls, and fraudulent businesses and domains— to respond effectively to a suspected compromise.
The above analysis is performed in a controlled environment in Rewterz Threat Intelligence Labs. In case, you have any malware samples, binaries, that need to be analyzed, contact us.
It is concluded after analysis that sample excel file is acting as a beacon. It builds up the connection to command and control server using macros feature of Microsoft Excel. As Macros allow scripting, it requires trigger to be enabled, if accidentally or intentionally user enables these macros while opening this excel document, it starts initiating the calls toward command and control server. However, no response from the command and control server has been observed in packet captures.
To read our frequent analyses on malware and APT groups, visit our Threat Intelligence blog.