Rewterz Threat Alert – Unveiling the Attacks by White Elephant Group: Exploiting BADNEWS and Remcos Commercial Trojans – Active IOCs

Severity

High

Analysis Summary

The White Elephant Group is an Advanced Persistent Threat (APT) organization with origins in India. Their cyber attack activities date back to November 2009. A cybersecurity company, named the organization White Elephant in Chinese and first disclosed their attack activities in China in 2016. They subsequently released a series of reports detailing the White Elephant Group’s cyber attacks, focusing on their activities against China and tracking their attack patterns.

The White Elephant Group’s targets are widespread, but they primarily focus on China and Pakistan. They possess attack capabilities across multiple platforms, including Windows, Android, and macOS. The group specializes in using politically sensitive topics as bait to carry out targeted spear phishing attacks. They constantly upgrade their attack techniques to improve their effectiveness and avoid detection.

In an attack activity observed by researchers, the White Elephant Group targeted specific units within their own country. The attackers sent phishing emails to their targets, with the email attachment containing a compressed package housing a malicious LNK file. This LNK file served as a means to download the BADNEWS remote control Trojan, granting the attackers control over the compromised system and facilitating information theft.

Further analysis revealed that the LNK series of attacks are connected to recent network attacks on military and political targets in South Asia. These attacks employed mature commercial remote control tools such as Remcos. The attackers utilized LNK-based baits, including file names with military and political themes, phishing websites, and more, as the initial entry point for their attacks. They compromised a significant amount of network infrastructure to support load distribution and control communications.

The associated attacks have clear indications of having an Indian background, but they do not currently involve the reporting country. The only identified overlap with the White Elephant Group is a digital certificate. The attackers distributed the compressed package containing the malicious LNK file as an email attachment, disguising it as a PDF document to entice the target into opening and executing it.

Upon execution of the LNK file, it downloads a decoy file from a specific URL and saves it on the target system. Subsequently, the payload is downloaded from another URL and stored as “OneDrive.exe” in the C: ProgramDataMicrosoftDeviceSync directory. This OneDrive.exe file is the BADNEWS remote control Trojan, which enables various malicious functionalities such as file download, command execution, and screen capture. The OneDrive.exe file is digitally signed and bears a specific digital signature.

Once the BADNEWS Trojan is executed, it first determines the machine’s time zone. If the time zone corresponds to China standard time, it proceeds with executing further malicious operations. The Trojan creates a mutex named “qzex” to ensure its uniqueness within the current environment and registers a keyboard hook using the SetWindowsHookExW function.

The Trojan records keystrokes, storing them in a file named ” %temp%kednfbdnfby.dat” It utilizes web services like myexternalip.com, api.ipify.org, and ifconfig.me to obtain the host’s external network address. The external network IP is then queried using web services like api.iplocation.net and ipapi.co to determine the country associated with the IP.

The collected information is encrypted and sent back to the Command-and-Control (C2) server as part of the heartbeat packet. The data collected from the target machine includes sensitive information that undergoes Base64 encoding, AES-CBC-128 encryption using the key “qgdrbn8kloiuytr3” and IV “feitrt74673ngbfj,” and another round of Base64 encoding.

The Trojan establishes communication with the C2 server, utilizing the address “charlizard.shop,” communication port 443, and the URI “/tagpdjjarzajgt/cooewlzafloumm.php.” Different threads handle distinct tasks, and communication content is encrypted using AES–CBC-128.

One thread is responsible for sending basic information to verify if the target machine is powered on. Another thread facilitates remote control functionality, executing commands issued by the attacker. The thread responsible for executing cmd commands collects information such as the current user name, network configuration, DNS cache, system information, and process list. This information is encrypted and sent back to the C2 server.

The Trojan OneDrive.exe used in this attack shares similarities in code structure, encryption algorithm, and communication mode with the BADNEWS Trojan previously utilized by the White Elephant Group. The storage path for the BADNEWS Trojan, “C:ProgramDataMicrosoftDeviceSync,” is a common file path used by the organization. The correlation analysis suggests that the BADNEWS Trojan is associated with recent attacks on military and political targets in South Asia. The attackers heavily employ the Remcos commercial remote control Trojan to gain remote access and extract sensitive information from the targeted systems.

Remcos is a commercial remote control Trojan that offers a wide range of capabilities for unauthorized access and control over compromised systems. It provides functionalities such as remote desktop control, allowing the attacker to take control of the victim’s desktop environment. Additionally, it enables screen stealing, which involves capturing screenshots of the victim’s screen without their knowledge.

The Trojan also facilitates clipboard stealing, where it can monitor and collect data copied to the clipboard, potentially capturing sensitive information such as passwords or confidential data. Furthermore, Remcos supports camera and audio peeping, enabling the attacker to covertly access the victim’s webcam and microphone, potentially compromising their privacy.

In terms of digital certificate association, a specific digital signature used by the BADNEWS Trojan in the attack against relevant units in the reporting country has been found in several malicious files. One such file is named “Minutes-of-Meeting-Joint-Ops.exe,” uploaded from Bangladesh, which belongs to the Remcos remote control family. The associated C2 address for this Trojan is “45.137.116.253:443 (TCP).” Other files using this signature include Remcos remote control files with military and political themes.

To summarize, the attacks involving the White Elephant Group, as discovered by researchers, indicate that this Indian APT organization employs dedicated remote control Trojans through phishing attacks. The attack methods and codes align with their previous activities, with similarities observed in the BADNEWS Trojan. The association of the digital certificate with Remcos commercial Trojan usage suggests a growing trend among Indian organizations to procure commercial Trojan tools, reducing costs while increasing the efficiency of their cyber attack activities.

Impact

• Information Theft
• Credential Theft
• User Information Theft
• Remote Control Capabilities

Indicators of Compromise

IP

• 45.146.254.153
• 45.146.252.37
• 45.153.242.244
• 185.239.237.197

MD5

• 5bb083f686c1d9aba9cd6334a997c20e
• e8ba6aeac4ae8bd22e2da73a2e142104
• 6f50d7408281f80d5b563236215e5308
• 40ae57d3e6163e80d3887aaacd001980
• d51e8ebb04a5849f46514dcaef7f4c32
• eb9068161baa5842b40d5565130526b9
• aebe447662363c9e40275aa8aed5f905
• 4be6220e6295676f9eae5659826900c5
• 927618e626b1db68a4281b281a7b7384

SHA-256

• 1a22dd2f6968e76c8c044d423cd592eb1bed01d2be6fc6df901437b593384ec9
• 538b607c03aa2d0960c396529399921f957f421a3ca084d140316e2ee21889cc
• 818bd67db5fe30f5cfdab861f996f30fa20427e3e1aa65ffe6d98f6c7af7558d
• 04172c06edcc15dbed71db50fad935e6b82bfae78491237eee00f60ffbaf57f3
• 3a573796b5e6f1cc3a92eef7e268fa4e74aeddf34f5dd62f7b02109fe560ecd2
• f5766ece18b863c7747d739b4a0b944cdb13e9993dbc3401d4ea1923dbb0578a
• 6f71f637c9572837b33d80036c0b7852db4223e104faedf57ff76306a324440c
• 26cabb4a837e47b14b9a19fa4073173bdbf61a9e38c94c50a717636b30d34faf
• 46f812dc9ab1da606915a40d98ffd7afa7827c9c2198f26ced8a48b7d9eeb3de

SHA-1

• 541496051465e31525d9bf8210515c438bd9a86c
• 85623a3ed6c13e545391799189789bb90cecaa9f
• a6a87459c78e16d076c832689c246d933c73fcdf
• 82f4f7603f0c70726571429318ac3022e58d5837
• 93b803d920a4c0a5e291cdca4bf250c379cd729b
• 739766a8ca2884015452b760c896475036d138a6
• ecff68d8a630318a7de0863470dbb22516ba94cd
• 15d4eb496f9ca0e32fdea83f113ed3d1bd5107c0
• 31c6536bcbea501b97c61e3cc792f180a2a31bdd

Remediation

• Block all threat indicators at your respective controls. Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Conduct regular cybersecurity awareness and training programs to educate employees about phishing techniques, social engineering, and safe online practices. By enhancing employee awareness, organizations can reduce the likelihood of falling victim to the group’s spear-phishing attacks.
• Implement robust email security solutions that include spam filters, advanced threat protection, and anti-phishing mechanisms. These measures can help detect and block malicious emails containing attachments or links used by the White Elephant APT Group for initial intrusion.
• Maintain a robust patch management process to ensure all systems and software are up to date with the latest security patches. Regularly scan for vulnerabilities and promptly apply patches to minimize the risk of exploitation by the group’s attacks.
• Implement network segmentation to isolate critical systems and sensitive data from the rest of the network. This helps contain any potential breaches and prevents lateral movement within the network in case of a successful intrusion.
• Enable MFA for all user accounts, especially for privileged accounts and remote access. MFA adds an extra layer of security and makes it harder for attackers to gain unauthorized access even if they obtain valid credentials.
• Deploy advanced endpoint protection solutions that include behavior-based detection, real-time monitoring, and threat intelligence capabilities. These solutions can help identify and block malicious activities associated with the White Elephant APT Group’s Trojans or other malware.
• Implement robust network monitoring and intrusion detection systems to detect any suspicious activities or anomalies indicative of an ongoing attack. This includes monitoring for unusual network traffic, communication with known malicious domains or IP addresses, and unauthorized access attempts.
• Develop and regularly update an incident response plan that outlines the steps to be taken in case of a security incident. This includes incident identification, containment, eradication, and recovery procedures to minimize the impact of a successful attack.
• Stay updated with the latest threat intelligence reports and indicators of compromise related to the White Elephant APT Group. Collaborate with industry peers, government agencies, and relevant cybersecurity organizations to share information and better defend against their attacks.
• Conduct periodic security audits and penetration tests to identify vulnerabilities and weaknesses in systems, applications, and network infrastructure. Address any identified issues promptly to strengthen the overall security posture.