🔒
There are new articles available, click to refresh the page.
Before yesterdaySentinelLabs

Targets of Interest | Russian Organizations Increasingly Under Attack By Chinese APTs

7 July 2022 at 10:58

Executive Summary

  • SentinelLabs has identified a new cluster of threat activity targeting Russian organizations.
  • We assess with high-confidence that the threat actor responsible for the attacks is a Chinese state-sponsored cyber espionage group, as also recently noted by Ukraine CERT (CERT-UA).
  • The attacks use phishing emails to deliver Office documents to exploit targets in order to deliver their RAT of choice, most commonly Bisonal.
  • SentinelLabs has also identified associated activity targeting telecommunication organizations in Pakistan leveraging similar attack techniques.

Overview

On June 22nd 2022, CERT-UA publicly released Alert #4860, which contains a collection of documents built with the Royal Road malicious document builder, themed around Russian government interests. SentinelLabs has conducted further analysis of CERT-UA’s findings and has identified supplemental Chinese threat activity.

China’s recent intelligence objectives against Russia can be observed in multiple campaigns following the invasion of Ukraine, such as Scarab, Mustang Panda, ‘Space Pirates’, and now the findings here. ​​Our analysis indicates this is a separate Chinese campaign, but specific actor attribution is unclear at this time.

While the overlap of publicly reported actor names inevitably muddies the picture, it remains clear that the Chinese intelligence apparatus is targeting a wide range of Russian-linked organizations. Our findings currently offer only an incomplete picture of this threat cluster’s phishing activity, but they serve to provide perspective into an attacker’s ongoing operational objectives and a framework for our ongoing research.

Malicious Documents Targeting Russia

On June 22nd , Ukraine’s CERT-UA reported several RTF documents containing malicious code exploiting one or more vulnerabilities in MS Office. CERT-UA assessed that the documents, “Vnimaniyu.doc”, “17.06.2022_Protokol_MRG_Podgruppa_IB.doc”, and “remarks table 20.06.2022_obraza”, were likely built with the Royal Road builder and dropped the Bisonal backdoor. Royal Road is a malicious document builder used widely by Chinese APT groups, while Bisonal is a backdoor RAT unique to Chinese threat actors.

The CERT-UA advisory followed public reporting by our colleagues from nao_sec and Malwarebytes, who identified some of the first indicators and shared related samples and C2 servers. Building off this initial intelligence, SentinelLabs discovered a further related cluster of activity.

Timeline of Royal Road Malicious Documents

As we have observed over the years, Royal Road documents follow content themes relevant to their targets. Following that practice, it’s reasonable to assume that the targets in this recent cluster of activity are likely Russian government organizations.

One example of this cluster (f599ed4ecb6c61ef2f2692d1a083e3bb040f95e6) is a fake document mimicking a RU-CERT memo on increased phishing attacks.

Malicious document mimicking RU-CERT
Malicious document mimicking RU-CERT (Translated)

Another example is themed around telecommunication organizations (415ce2db3957294d73fa832ed844940735120bae).

Malicious Document – Russia Telecom Theme – “Пояснительная записка к ЗНИ.doc”
Malicious Document – Russia Telecom Theme – “Пояснительная записка к ЗНИ.doc” (Translated)

The example documents shown above both exploit CVE-2018-0798, a remote execution vulnerability in Microsoft Office to install the embedded malware.

Attribution to Chinese Threat Groups

The collection of files and infrastructure noted above could be considered related to the Tonto Team APT group (aka “CactusPete”, “Earth Akhlut”), a Chinese threat group that has been reported on for nearly ten years. However, we assess that link with only medium confidence due to the potential for shared attacker resources that could muddy attribution based on the currently available data. Known targets span the globe, with a particular interest in Northeast Asia, including governments, critical infrastructure, and other private businesses.

The attacker continues their long history of Russian targeting; however, the rate of Russian and Russia-relevant targets in recent weeks may indicate increased prioritization.

There are multiple connections of this activity to Chinese threat actors. As noted above, the documents are built with a commonly known malicious document builder used widely by Chinese APT groups, the shared toolkit often referred to as the “Royal Road” or the “8.t” builder.

These documents often contain metadata indicating the document creator’s operating system was using simplified Chinese, a trait we observed in our previous analysis of Scarab APT activity.

The malicious documents are generally used for the delivery of custom malware, such as the Bisonal RAT, which as noted by CERT-UA, is unique to Chinese groups, including Tonto Team. Bisonal has a uniquely long history of use and continued development by its creators, such as expanding features for file searching and exfiltration, anti-analysis and detection techniques, and maintaining generally unrestricted system control.

Additionally, the collection of C2 infrastructure associated with these various samples fall under a larger umbrella of known Chinese APT activity.

Related Activity of Interest

It’s also worth noting that there are still ongoing related attacks focused on non-Russian organizations, such as those against Pakistan.

For example, one file uploaded to VirusTotal (91ca78231bcacab0d5e6194041817b96252e65bf) from Pakistan is a May 2022 email message file to the Pakistan Telecommunication Authority, sent from a potentially compromised account in the Cabinet Division of the Pakistani government. This email contains the Royal Road attachment “Please help to Check.doc” (f444ff2386cd3ada204c3224463f4be310e5554a), dropping 85fac143c52e26c22562b0aaa80ffe649640bd29 and beaconing outbound to instructor.giize[.]com (198.13.56[.]122).

Phishing email containing malicious document

Conclusion

We assess with high confidence that the Royal Road-built malicious documents, delivered malware, and associated infrastructure are attributable to Chinese threat actors. Based on our observations, there’s been a continued effort to target Russian organizations by this cluster through well-known attack methods– the use of malicious documents exploiting n-day vulnerabilities with lures specifically relevant to Russian organizations. Overall, the objectives of these attacks appear espionage-related, but the broader context remains unavailable from our standpoint of external visibility.

Indicators of Compromise

IOC Description
f599ed4ecb6c61ef2f2692d1a083e3bb040f95e6 6/21/2022 Royal Road Document”Вниманию.doc”
cb8eb16d94fd9242baf90abd1ef1a5510edd2996 6/16/2022  Royal Road Document “Вниманию.doc”
41ebc0b36e3e3f16b0a0565f42b0286dd367a352 6/15/2022 (Estimate) Royal Road Document”Анкетирование Агентства по делам государственной службы.rtf”
2abf70f69a289cc99adb5351444a1bd23fd97384 6/20/2022 Royal Road Document”17.06.2022_Протокол_МРГ_Подгруппа_ИБ.doc”
supportteam.lingrevelat[.]com C2 Domain
upportteam.lingrevelat[.]com C2 Domain for cb8eb16d94fd9242baf90abd1ef1a5510edd2996
2b7975e6b1e9b72e9eb06989e5a8b1f6fd9ce027 6/21/2022 Royal Road Document”О_формировании_проекта_ПНС_2022_файл_отображен.doc”
a501fec38f4aca1a57393b6e39a52807a7f071a4 6/21/2022 Royal Road Document”замечания таблица 20.06.2022.doc”
415ce2db3957294d73fa832ed844940735120bae 6/23/2022 Royal Road Document”Пояснительная записка к ЗНИ.doc”
news.wooordhunts[.]com C2 Domain for 415ce2db3957294d73fa832ed844940735120bae
137.220.176[.]165 IP Resolved for C2 Domains news.wooordhunts[.]com supportteam.lingrevelat[.]com upportteam.lingrevelat[.]com
1c848911e6439c14ecc98f2903fc1aea63479a9f 6/23/2022 Royal Road Document”РЭН 2022.doc”
91ca78231bcacab0d5e6194041817b96252e65bf 5/12/2022 Phishing Email File
f444ff2386cd3ada204c3224463f4be310e5554a 5/12/2022 Royal Road Document”Please help to Check.doc”
instructor.giize[.]com C2 Server for f444ff2386cd3ada204c3224463f4be310e5554a

Putting Things in Context | Timelining Threat Campaigns

11 May 2022 at 16:05

Like many in our field, I often have a desire to timeline a threat or mind map threat activity to better understand evolving campaigns, track new unknown activity, and generally keep up with the ever-changing threat landscape. Timelining threat campaigns is incredibly useful for many reasons. For one, we are often faced with complex incidents that need a form of documentation to enable the identification of new context. Being able to see how events relate to one another is powerful because it allows a researcher to organize complex threat activity and highlight context an actor cannot easily fabricate, even when considering specific misdirection techniques like file timestomping.

In this post, I’m going to walk through some examples of how I use Aeon Timeline. I’ll also provide a custom threat research-themed template for your own use. Additionally, this blog contains the timeline file we made while tracking the threat activity related to the invasion of Ukraine. I hope this will encourage other security researchers to make use of timelines as a foundation to further their own research or for historical reference of related events.

What is Aeon Timeline Software?

I’ve found Aeon increasingly useful while researching threat activity, and I would highly recommend it for security practitioners. For some context, Aeon Timeline is an interactive timeline tool used for a variety of industries, such as legal, creative writing, and education.

While our use in security research is rather unique, many of its features can be used for our purposes. Since Aeon currently does not come with a preloaded configuration/template for security research projects, I would like to use this blog to share our template, which you can now download and import.

To get hands-on experience, here are two ideas of what you can do with the Ukraine timeline shared here:

  • Label events as either cyber or kinetic, then begin documenting the kinetic events of the war. How do the events now line up, and do you see any correlation of the two?
  • Cluster the activity by threat groups

Aeon is superb for these kinds of uses and many others, although I would recommend against using it as a form of TIP (Threat Intelligence platform) or for generally collecting and storing intelligence long term. I recommend its use during an initial investigation’s learning phase, and once complete or at a level of confidence, storing the data (as appropriate) in a central platform like the Vertex Project’s Synapse. This would ensure proper data retention and long-term value. However, the tool is rather adaptable so it’s ultimately your choice on how it can be used.

Create and Explore a Timeline

Let’s take a look at some basic timeline creating workflows. In order to use the timeline, we need data, which in the case of Aeon can best be viewed in the “Spreadsheet” tab at the top. Data stored in the spreadsheet can be heavily customized, including their properties.

For this example, we’ll use the file shared related to the cyber domain events centered around the invasion of Ukraine. Also note, this example is heavily based on events rather than individual IOCs which we would make use of on a deeper level or in a mind map depending on your need.

My overall objective of this timeline was to grasp what happened and when, considering the flood of activity at the time was difficult to make sense of. The data used in this timeline is generally based on OSINT, which we can expect will change as we learn more about the events referenced, which is why having an easy to use timeline works so well.

Spreadsheet Data to Form Timeline

Here is a section of the data itself, which as you can see, contains labels, notes and times. I made use of colors to theme pro-Russian vs pro-Ukrainian events to make use of when looking at it from a higher level. In many of these cases, my working idea is to note the start and end dates, knowing that they are again, based on OSINT, but likely limited based on perspective of the source. You can visually indicate that on the timeline by opening the event to see its included properties and using the earliest/latest dates.

AcidRain Event Example of Dates

Additionally, in the properties I often make use of Notes and links/images. The timeline we’re looking at has many references to each event for your own analysis.

AcidRain Event Example of Links

After placing dates/times on our events, we can begin reviewing them in the timeline tab at the top of the application. As you can see below, we have quite an interesting timeline of events giving perspective into the quantity of known/public events on this topic, while also giving us the references to each.

Timeline of Ukraine-centric cyber activity

I recommend exploring the bottom right and left options to best display the information to your liking. Zooming in for specific dates and out for high level overviews (like above). This above timeline expands to a view of months and indicates precise days with vertical lines. However, if you are using a timeline for something like an intrusion analysis, you will likely find value in using a deeper precision like minutes.

Personally, my workflow for the Ukraine events was kept rather manual because of my desire to review, understand, and expand each event when possible. However, as you begin using the application you will quickly find the option to bulk import data, which may now feel similar to something like Maltego.

Additionally, when it comes to customizing properties, it all depends on what you could find useful. For example, if I’m particularly interested in tracking the target organization or attacker by event, simply add it as a property of the data. To do this, click the top right ⚙ (Settings), Data Types > Edit > Properties.

Adding Target and Attacker properties

Mastering The Mind Map

On a much different level, one other great area of the product I make use of is the mind map. My use of a mind map is of course more related to the discovery of relationships rather than time of events. Generally speaking, the mind map is my go-to for connecting the dots between the larger and more complex bits of threat activity. A mind map was instrumental in my research on ModifiedElephant.

The template shared in this blog post will be a great starting point for your own mind map use. To get started, open a new project using the template, then navigate to the top mind map section. Double-click in the empty map to add your first entity. Once multiple entities exist, you can connect the two by forming a line relationship. The entity types and relationships are built into our template, so you can customize to your liking.

Here is a quick example of how one could use the mind map to quickly map out some activity while also noting potential assessments of confidence. Note that we have a domain IOC which is related with high confidence to an IP and email. Those then further relate to the infamous APT41.

Mind Map example, clean and organized

To modify all the data types (IOCs in this case), Relationships (confidence levels), or properties of the data, again navigate to the advanced settings: ⚙ > Data Types > Edit.

It’s also worth noting that a mind map does not need to be highly organized and clean. Sometimes if I’m moving fast, a mind map just to keep track of my findings is often good enough to avoid forgetting something. However, if you plan on maintaining the map over time rather than a quick project, I recommend avoiding such methods or you could end up with something less than helpful like the one below.

Messy mind map – does it help or hinder?

Custom Template – Download and Open

Below you will find an example timeline and mind map, but I also highly recommend exploring the official training material on the Aeon website in order to understand more of the tools capabilities.

After installing Aeon, download our template file and save it locally. With Aeon running, navigate to the program preferences and select custom templates. Here is where you can import the SentinelLabs template you previously downloaded.

Import Aeon Template

On the main page of Aeon, select Create New > Custom, and you should see an entry for the template, which is preconfigured with common IOC types used in the practice of security research. The template is completely customizable to your personal needs, but the setup provided should be enough to get you started.

Template IOCs and Configuration

You are now ready to use the tool for some interesting threat research use cases.

Conclusion

Analysts, researchers, incident responders, and any other form of investigator can derive a lot of value from this tool. If you want to get started, download the template and the UA/RU timeline to explore the data.

The use of timelines in the researcher workflow is a powerful tool that can help enable the identification of new context. I hope the examples shared here may motivate others to adopt them as a useful addition to their toolkit and industry collaboration efforts.

Chinese Threat Actor Scarab Targeting Ukraine

24 March 2022 at 16:05

Executive Summary

  • Ukraine CERT (CERT-UA) has released new details on UAC-0026, which SentinelLabs confirms is associated with the suspected Chinese threat actor known as Scarab.
  • The malicious activity represents one of the first public examples of a Chinese threat actor targeting Ukraine since the invasion began.
  • Scarab has conducted a number of campaigns over the years, making use of a custom backdoor originally known as Scieron, which may be the predecessor to HeaderTip.
  • While technical specifics vary between campaigns, the actor generally makes use of phishing emails containing lure documents relevant to the target, ultimately leading to the deployment of HeaderTip.

UAC-0026

On March 22nd 2022, CERT-UA published alert #4244, where they shared a quick summary and indicators associated with a recent intrusion attempt from an actor they dubbed UAC-0026. In the alert, CERT-UA noted the delivery of a RAR file archive "Про збереження відеоматеріалів з фіксацією злочинних дій армії російської федерації.rar", which translates to “On the preservation of video recordings of criminal actions of the army of the Russian Federation.rar”. Additionally, they note the archive contains an executable file, which opens a lure document, and drops the DLL file "officecleaner.dat" and a batch file "officecleaner". CERT-UA has named the malicious DLL ‘HeaderTip’ and notes similar activity was recorded in September 2020.

The UAC-0026 activity is the first public example of a Chinese threat actor targeting Ukraine since the invasion began. While there has been a marked increase in publicly reported attacks against Ukraine over the last week or so, these and all prior attacks have otherwise originated from Russian-backed threat actors.

Rough timeline of recent Ukrainian conflict cyber activity

Connection of HeaderTip to Scarab APT

Scarab has a relatively long history of activity based on open source intelligence. The group was first identified in 2015, while the associated IOCs are archived on OTX. As noted in the previous research, Scarab has operated since at least 2012, targeting a small number of individuals across the world, including Russia, United States, and others. The backdoor deployed by Scarab in their campaigns is most commonly known as Scieron.

During our review of the infrastructure and HeaderTip malware samples shared by CERT-UA, we identified relations between UAC-0026 and Scarab APT.

We assess with high confidence the recent CERT-UA activity attributed to UAC-0026 is the Scarab APT group. An initial link can be made through the design of the malware samples and their associated loaders from at least 2020. Further relationships can be identified through the reuse of actor-unique infrastructure between the malware families associated with the groups:

  • 508d106ea0a71f2fd360fda518e1e533e7e584ed (HeaderTip – 2021)
  • 121ea06f391d6b792b3e697191d69dc500436604 (Scieron 2018)
  • Dynamic.ddns[.]mobi (Reused C2 Server)

As noted in the 2015 reporting on Scarab, there are various indications the threat actor is Chinese speaking. Based on known targets since 2020, including those against Ukraine in March 2022, in addition to specific language use, we assess with moderate confidence that Scarab is Chinese speaking and operating under geopolitical intelligence collection purposes.

Lure Documents

Analysis of lure documents used for initial compromise can provide insight into those being targeted and particular characteristics of their creator. For instance, in a September 2020 campaign targeting suspected Philippines individuals, Scarab made use of lure documents titled “OSCE-wide Counter-Terrorism Conference 2020”. For context, OSCE is the Organization for Security and Co-operation in Europe.

September 2020 Scarab APT Lure Document Content

More recently, industry colleagues have noted a case in which Scarab was involved in a campaign targeting European diplomatic organizations during the US withdrawal from Afghanistan.

The lure document reported by CERT-UA mimics the National Police of Ukraine, themed around the need to preserve video materials of crimes conducted by the Russian military.

Ukraine Targeting Lure Document

Lure documents through the various campaigns contain metadata indicating the original creator is using the Windows operating system in a Chinese language setting. This includes the system’s username set as “用户” (user).

Malware and Infrastructure

Multiple methods have been in use to attempt to load the malware onto the target system. In the case of the 2020 documents, the user must enable document Macros. In the most recent version from CERT-UA, the executable loader controls the install with the help of a batch file while also opening the lure document. The loader executable itself contains the PDF, batch installer, and HeaderTip malware as resource data.

The batch file follows a simple set of instructions to define the HeaderTip DLL, set persistence under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, and then execute HeaderTip. Exports called across the HeaderTip samples have been HttpsInit and OAService, as shown here.

officecleaner.bat File Contents

The HeaderTip samples are 32-bit DLL files, written in C++, and roughly 9.7 KB. The malware itself will make HTTP POST requests to the defined C2 server using the user agent: "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko". General functionality of HeaderTip is rather limited to beaconing outbound for updates, potentially so it can act as a simple first stage malware waiting for a second stage with more capabilities.

Scarab has repeatedly made use of dynamic DNS services, which means C2 server IP, and subdomains should not be considered related. In fact, some of the dynamic DNS services used by Scarab can easily link one to various unrelated APT groups, such as the infamous CloudHopper report or 2015 bookworm malware blogs. While those may be associated with Chinese APTs, it may indicate more of a standard operating toolkit and approach rather than shared technical resources.

Conclusion

We assess with high confidence the recent CERT-UA activity attributed to UAC-0026 is the Scarab APT group and represents the first publicly-reported attack on Ukraine from a non-Russian APT. The HeaderTip malware and associated phishing campaign utilizing Macro-enabled documents appears to be a first-stage infection attempt. At this point in time, the threat actor’s further objectives and motivations remain unclear.

Indicators of Compromise

IOC Description
product2020.mrbasic[.]com March 2022 C2 Server
8cfad6d23b79f56fb7535a562a106f6d187f84cf March 2022 Ukraine file delivery archive “Про збереження відеоматеріалів з фіксацією злочинних дій армії російської федерації.rar”
e7ef3b033c34f2ac2772c15ad53aa28599f93a51 March 2022 Loader Executable “officecleaner.dat”
fdb8de6f8d5f8ca6e52ce924a72b5c50ce6e5d6a March 2022 Ukraine lure document “#2163_02_33-2022.pdf”
4c396041b3c8a8f5dd9db31d0f2051e23802dcd0 March 2022 Ukraine batch file “officecleaner.bat”
3552c184281abcc14e3b941841b698cfb0ec9f1d March 2022 Ukraine HeaderTip sample “httpshelper.dll”
ebook.port25[.]biz September 2020 C2 Server
fde012fbcc65f4ab84d5f7d4799942c3f8792cc3 September 2020 file delivery archive “Joining Instructions IMPC 1.20 .rar”
e30a24e7367c4a82d283c7c68cff5739319aace9 September 2020 lure document “Joining Instructions IMPC 1.20 .xls”
5cc8ce82fc21add608277384dfaa8139efe8bea5 September 2020 HeaderTip samples based on C2 use
mert.my03[.]com September 2020 C2 Server
90c4223887f10f8f9c4ac61f858548d154183d9a September 2020 file delivery archive “OSCE-wide Counter-Terrorism Conference 2020.zip”
82f8c69a48fa1fa23ff37a0b0dc23a06a7cb6758 September 2020 lure document “OSCE-wide Counter-Terrorism Conference 2020”
b330cf088ba8c75d297d4b65bdbdd8bee9a8385c September 2020 HeaderTip sample”officecleaner.dll”
83c4a02e2d627b40c6e58bf82197e113603c4f87 HeaderTip (Possible researcher)
508d106ea0a71f2fd360fda518e1e533e7e584ed HeaderTip
dynamic.ddns[.]mobi C2 Server, overlaps with Scieron (b5f2cc8e8580a44a6aefc08f9776516a)

ModifiedElephant APT and a Decade of Fabricating Evidence

10 February 2022 at 04:55

Executive Summary

  • Our research attributes a decade of activity to a threat actor we call ModifiedElephant.
  • ModifiedElephant is responsible for targeted attacks on human rights activists, human rights defenders, academics, and lawyers across India with the objective of planting incriminating digital evidence.
  • ModifiedElephant has been operating since at least 2012, and has repeatedly targeted specific individuals.
  • ModifiedElephant operates through the use of commercially available remote access trojans (RATs) and has potential ties to the commercial surveillance industry.
  • The threat actor uses spearphishing with malicious documents to deliver malware, such as NetWire, DarkComet, and simple keyloggers with infrastructure overlaps that allow us to connect long periods of previously unattributed malicious activity.

Read the Full Report

Background

In September 2021, SentinelLabs published research into the operations of a Turkish-nexus threat actor we called EGoManiac, drawing attention to their practice of planting incriminating evidence on the systems of journalists to justify arrests by the Turkish National Police. A threat actor willing to frame and incarcerate vulnerable opponents is a critically underreported dimension of the cyber threat landscape that brings up uncomfortable questions about the integrity of devices introduced as evidence. Emerging details in an unrelated case caught our attention as a potentially similar scenario worthy of more scrutiny.

Long-standing racial and political tensions in India were inflamed on January 1st, 2018 when critics of the government clashed with pro-government supporters near Bhima Koregaon. The event led to subsequent protests, resulting in more violence and at least one death.

In the following months, Maharashtra police linked the cause of the violence to the banned Naxalite-Maoist Communist party of India. On April 17th, 2018, police conducted raids and arrested a number of individuals on terrorism-related charges. The arresting agencies identified incriminating files on the computer systems of defendants, including plans for an alleged assassination attempt against Prime Minister Modi.

Thanks to the public release of digital forensic investigation results by Arsenal Consulting and those referenced below, we can glean rare insights into the integrity of the systems of some defendants and grasp the origin of the incriminating files. It turns out that a compromise of defendant systems led to the planting of files that were later used as evidence of terrorism and justification for the defendants’ imprisonment. The intrusions in question were not isolated incidents.

Our research into these intrusions revealed a decade of persistent malicious activity targeting specific groups and individuals that we now attribute to a previously unknown threat actor named ModifiedElephant. This actor has operated for years, evading research attention and detection due to their limited scope of operations, the mundane nature of their tools, and their regionally-specific targeting. ModifiedElephant is still active at the time of writing.

ModifiedElephant Targets & Objectives

The objective of ModifiedElephant is long-term surveillance that at times concludes with the delivery of ‘evidence’—files that incriminate the target in specific crimes—prior to conveniently coordinated arrests.

After careful review of the attackers’ campaigns over the last decade, we have identified hundreds of groups and individuals targeted by ModifiedElephant phishing campaigns. Activists, human rights defenders, journalists, academics, and law professionals in India are those most highly targeted. Notable targets include individuals associated with the Bhima Koregaon case.

Infection Attempts

Throughout the last decade, ModifiedElephant operators sought to infect their targets via spearphishing emails with malicious file attachments, with their techniques evolving over time.

Their primary delivery mechanism is malicious Microsoft Office document files weaponized to deliver the malware of choice at the time. The specific payloads changed over the years and across different targets. However, some notable trends remain.

  • In mid-2013, the actor used phishing emails containing executable file attachments with fake double extensions (filename.pdf.exe).
  • After 2015, the actor moved on to less obvious files containing publicly available exploits, such as .doc, .pps, .docx, .rar, and password protected .rar files. These attempts involved legitimate lure documents in .pdf, .docx, and .mht formats to captivate the target’s attention while also executing malware.
  • In 2019 phishing campaigns, ModifiedElephant operators also took the approach of providing links to files hosted externally for manual download and execution by the target.
  • As first publicly noted by Amnesty in reference to a subset of this activity, the attacker also made use of large .rar archives (up to 300MB), potentially in an attempt to bypass detection.

Observed lure documents repeatedly made use of CVE-2012-0158, CVE-2014-1761, CVE-2013-3906, CVE-2015-1641 exploits to drop and execute their malware of choice.

The spearphishing emails and lure attachments are titled and generally themed around topics relevant to the target, such as activism news and groups, global and local events on climate change, politics, and public service. A public deconstruction of two seperate 2014 phishing emails was shared by Arsenal Consulting in early 2021.

Spearphishing email containing malicious attachment attributed to ModifiedElephant

ModifiedElephant continually made use of free email service providers, like Gmail and Yahoo, to conduct their campaigns. The phishing emails take many approaches to gain the appearance of legitimacy. This includes fake body content with a forwarding history containing long lists of recipients, original email recipient lists with many seemingly fake accounts, or simply resending their malware multiple times using new emails or lure documents. Notably, in specific attacks, the actor would be particularly persistent and attempt to compromise the same individuals multiple times in a single day.

By reviewing a timeline of attacker activity, we can observe clear trends as the attacker(s) rotate infrastructure over the years.

Timeline sample of ModifiedElephant and SideWinder C2 Infrastructure

For example, from early-2013 to mid-2016, a reasonably clear timeline can be built with little overlap, indicating a potential evolution or expansion of activities. Dates are based on first and last spearphishing emails observed delivering samples that communicate with a given domain. Notably, a separate Indian-nexus threat actor, SideWinder, is placed alongside ModifiedElephant in this graph as they were observed targeting the same individuals.

Weapons of Choice

The malware most used by ModifiedElephant is unsophisticated and downright mundane, and yet it has proven sufficient for their objectives–obtaining remote access and unrestricted control of victim machines. The primary malware families deployed were NetWire and DarkComet remote access trojans (RATs). Both of these RATs are publicly available, and have a long history of abuse by threat actors across the spectrum of skill and capability.

One particular activity revolves around the file Ltr_1804_to_cc.pdf, which contains details of an assassination plot against Prime Minister Modi. A forensic report by Arsenal Consulting showed that this file, one of the more incriminating pieces of evidence obtained by the police, was one of many files delivered via a NetWire RAT remote session that we associate with ModifiedElephant. Further analysis showed how ModifiedElephant was performing nearly identical evidence creation and organization across multiple unrelated victim systems within roughly fifteen minutes of each other.

Incubator Keylogger

Known victims have also been targeted with keylogger payloads stretching as far back as 2012 (0a3d635eb11e78e6397a32c99dc0fd5a). These keyloggers, packed at delivery, are written in Visual Basic and are not the least bit technically impressive. Moreover, they’re built in such a brittle fashion that they no longer function.

The overall structure of the keylogger is fairly similar to code openly shared on Italian hacking forums in 2012. Further details of the ModifiedElephant variant can be found in our full report.

In some cases, the attacker conducted multiple unique phishing attempts with the same payloads across one or more targets. However, ModifiedElephant generally conducts each infection attempt with new malware samples.

Android Trojan

ModifiedElephant also sent multiple phishing emails containing both NetWire and Android malware payloads at the same time. The Android malware is an unidentified commodity trojan delivered as an APK file (0330921c85d582deb2b77a4dc53c78b3).

While the Android trojan bears marks of being designed for broader cybercrime, its delivery at the same time as ModifiedElephant Netwire samples indicates that the same attacker was attempting to get full coverage of the target on both endpoint and mobile. The full report contains further details about the Android Trojan.

Relations to Other Threat Clusters

Our research into this threat actor reveals multiple interesting threads that highlight the complex nature of targeted surveillance and tasking, where multiple actors swoop in with diverse mechanisms to track the same group of individuals. These include private sector offensive actors (PSOAs) and groups with possible commercial facades to coordinate their illicit activities.

Based on our analysis of ModifiedElephant, the group operates in an overcrowded target space and may have relations with other regional threat actors. From our visibility, we can’t further disambiguate the shape of that relationship–whether as part of an active umbrella organization, cooperation and sharing of technical resources and targets across threat groups, or simply coincidental overlaps. Some interesting overlaps are detailed below.

  • Multiple individuals targeted by ModifiedElephant over the years have also been either targeted or confirmed infected with mobile surveillance spyware. Amnesty International identified NSO Group’s Pegasus being used in targeted attacks in 2019 against human rights defenders related to the Bhima Koregaon case. Additionally, the Bhima Koregaon case defendant Rona Wilson’s iPhone was targeted with Pegasus since 2017 based on a digital forensics analysis of an iTunes backup found in the forensic disk images analyzed by Arsenal Consulting.
  • Between February 2013 and January 2014 one target, Rona Wilson, received phishing emails that can be attributed to the SideWinder threat actor. The relationship between ModifiedElephant and SideWinder is unclear as only the timing and targets of their phishing emails overlap within our dataset. This could suggest that the attackers are being provided with similar tasking by a controlling entity, or that they work in concert somehow. SideWinder is a threat actor targeting government, military, and business entities primarily throughout Asia.
  • ModifiedElephant phishing email payloads (b822d8162dd540f29c0d8af28847246e) share infrastructure overlaps (new-agency[.]us) with Operation Hangover. Operation Hangover includes surveillance efforts against targets of interest to Indian national security, both foreign and domestic, in addition to industrial espionage efforts against organizations around the world.
  • Another curious finding is the inclusion of the string “Logs from Moosa’s” found in a keylogger sample closely associated with ModifiedElephant activity in 2012 (c14e101c055c9cb549c75e90d0a99c0a). The string could be a reference to Moosa Abd-Ali Ali, the Bahrain activist targeted around the same time, with FinFisher spyware. Without greater information, we treat this as a low confidence conjecture in need of greater research.

Attribution

Attributing an attacker like ModifiedElephant is an interesting challenge. At this time, we possess significant evidence of what the attacker has done over the past decade, a unique look into who they’ve targeted, and a strong understanding of their technical objectives.

We observe that ModifiedElephant activity aligns sharply with Indian state interests and that there is an observable correlation between ModifiedElephant attacks and the arrests of individuals in controversial, politically-charged cases.

Conclusion

The Bhima Koregaon case has offered a revealing perspective into the world of a threat actor willing to place significant time and resources into seeking the disruption of those with opposing views. Our profile of ModifiedElephant has taken a look at a small subset of the total list of potential targets, the attackers techniques, and a rare glimpse into their objectives. Many questions about this threat actor and their operations remain; however, one thing is clear: Critics of authoritarian governments around the world must carefully understand the technical capabilities of those who would seek to silence them.

Further details, Indicators of Compromise and Technical References are available in the full report.

Read the Full Report

  • There are no more articles
❌