During our routine threat hunting exercise, Cyble Research Labs came across a malware sample posted on Twitter by a researcher who believes that the malware belongs to Transparent Tribe, an Advanced Persistent Threat (APT) Group. Given the nature of the victim and the way they are targeted, we can draw some similarities to the Side Copy APT group.
Both APT groups are known to have mainly targeted India’s Defense and Government sectors in the past. Additionally, both groups have used various other RAT and malware to launch campaigns via multiple modes such as phishing, delivering payload via mail, etc. The malware posted by the researcher on Twitter has used a technique to hide the actual malware in the .vhdx file to avoid any antivirus detection. As per Wikipedia, .vhdx is the successor of VHD (Virtual Hard Disk).
The figure below shows the high-level execution flow of the malware. Upon execution, the malware checks for the current time zone. If it is able to verify that the victim system’s time zone is in IST, it connects to the attacker’s URL for downloading the second stager. Once downloaded, it executes the second stager payload and deletes itself.
The second stager payload checks that only one instance of the malware is running, and then it connects with the attacker’s Command and Control (C&C) server to start receiving the commands from Threat Actor (TA).
Technical Analysis
Cyble Research started analysis with the malware file name AFD CSD APP.vhdx; the sample had an extension. vhdx. After double-clicking on the AFD CSD APP.vhdx we observed it creating a mount in the Operating System (OS) with the name “CSD App“. After opening the mounted drive, we got the malicious malware file which is CSD_AppLaunch.exe.
While performing a static analysis of the CSD_AppLaunch.exe malicious file, we determined that that the file is an x86 architecture Windows-based Graphical User Interface (GUI) Application written in .NET Language shown in the figure below.
The icon of the malicious app had the logo of the Canteen Store Department (CSD) of the Indian Armed Forces, as shown in the figure below.
Code Analysis (CSD_AppLaunch.exe)
As per the below code, once the malware has been executed, it checks whether the current OS time Zone is India Standard Time (IST); if the OS time is not in IST, the malware exits. This tells us that the malware has been created with the explicit purpose of targeting the Indian Defense establishment and service members.
Initially, the code shown below figure uses the .NET WebBrowser() class to open the URL h[tt]ps:[//]afd.csdindia[.]gov[.]in and load the Form1_Load module to execute the malicious malware code.
Once the Form1_Load method is called, the code shown in Figure 7 creates a directory in C:\\ProgramData as “Intel Wifi”. If this directory is not present, it will be created, Once the directory is present, the malware proceeds to download the next stager payload from URL https[:]//secure256[.]net/ver4.mp3. Then, the malware decrypts the ver4.mp3 content to create IntelWifi.exe malicious binary in C:\\ProgramData\\Intel Wifi as shown in the code below.
The code below contains the decryption logic used by the malware to decrypt the content of ver4.mp3 file.
Finally, the first stager malware calls the Final method to create a new file name music.mp3 which contains the decrypted data of ver4.mp3 in the C:\\ProgramData directory.
After this step, it sleeps for 6 seconds and then uses the Move function to rename the music.mp3 file to IntelWifi.exe. It then sleeps for five more seconds and then executes IntelWifi.exe binary and delete CSD_AppLaunch.exe (first stager) binary as shown in the figure below.
Technical Analysis for IntelWifi.exe (Second Stager)
Static analysis of IntelWifi.exe tells that the binary is an x86 architecture Windows-based Graphical User Interface (GUI) application written in .NET language as shown in the figure below.
As per the below code, initially, the malware checks that only a single instance of a malware process is running. Then, it checks whether the current time zone is India Standard Time. Further, it calls CheckDirectory() method to create \\Intel Wifi directory and vmnx.dll file. Finally, it calls the Form1 module to execute the malicious codes.
Form1() module calls IntializeComponent method, which in turn loads the Form1_Load method. The Form1_Load then calls Run() method to start the malware activity as shown in the figure below.
The Run code is shown in Figure 13. Once executed, it connects to the attacker’s C&C on address 45[.]147[.]228[.]195[:]5434. After establishing contact with the C&C server, it calls the Run method from the Grabber class to execute a series of methods to get the victim’s environment details, e.g., OS, current username, etc. Once the victim’s environment details are extracted, the malware sends the details to the attacker’s C&C with key “x999” and then waits for commands to be received from the attacker.
Below we have listed a series of methods executed by the Run() method present in the Grabber class.
| Methods | Description |
| CreateID() | Create vmvcx.dll file and Generate Victim ID based on processor detail and P-Followed by random number and write the ID is vmvcx.dll file. E.g., PXXX-XXXXXXXXXXXX |
| Name() | Get the Computer Name and Current Username |
| PubIp() | Get the Victim’s public IP using http://icanhazip[.]com |
| LocIp() | Get the Victim’s Local IP |
| OSType() | Get the Victim’s Operating System (OS) details |
| Av() | Get the AV’s List present in Victim’s Machine |
| MacType() | Check whether Victim’s is using desktop or Laptop |
| CreateNonStop() | Add persistence in Startup Folder |
The below figure shows that the cynetcloud shortcut file is created in the startup folder using CreateNonStop() method. The value file:///C:\ProgramData\Intel Wifi\IntelWifi.exe executes whenever the Windows machine starts. This is done for the purpose of creating and maintaining persistence on the victim machine.
Once all the methods are executed, as shown in Table 1, the malware sends the user data to Attacker’s C&C. In the figure below, the malware has connected to our fake emulated C&C.
Once connected, the malware sends the victim’s environment details. The malware goes into a dormant stage to get the next command from the attacker’s C&C.
For example, in the below figure, we have sent “prc1” to the malware to get the process details of the victim.
Below is the code used by the malware to handle the commands received from C&C.
Conclusion
The APT groups are evolving their tools and techniques to stay ahead of various security solutions like AV & EDR. Based on the fact that this malware has multiple artifacts such as the logo, the URL used in the initial code, we can conclude that the malware has been created specifically to target Indian Defense or Government officials.
Cyble Research Labs will continuously monitor security threats, whether they are ongoing or emerging. We will continue to update our readers with our latest findings.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below:
- Use a reputed anti-virus and internet security software package on your connected devices.
- Use the shared IOCs to monitor and block the malware infection.
- Conduct regular backup practices and keep those backups offline or in a separate network.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use strong passwords and enforce multi-factor authentication wherever possible.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1204 | User Execution |
| Persistence | T1547 | Boot or Logon Autostart Execution |
| Discovery | T1057 T1124 T1033 T1082 | Process Discovery System Time Discovery System Owner/User Discovery System Information Discovery |
| Command and Control | T1095 T1571 | Non-Application Layer Protocol Non-Standard Port |
Indicators of Compromise (IoCs):
| Indicators | Indicator type | Description |
| 124023c0cf0524a73dabd6e5bb3f7d61d42dfd3867d699c59770846aae1231ce | SHA-256 | IntelWifi.exe |
| 84841490ea2b637494257e9fe23922e5f827190ae3e4c32134cadb81319ebc34 | SHA-256 | CSD_AppLaunch.exe |
| 5e645eb1a828cef61f70ecbd651dba5433e250b4724e1408702ac13d2b6ab836 | SHA-256 | AFD CSD APP.vhdx |
| http://secure256[.]net/ | URL | Second Stager URL |
| 45.147.228.195:5434 | IP:Port | Attacker’s C&C |
Generic signatures and Rules:
Yara Rules:
rule win32_csdmalware
{
meta:
author= "Cyble Research"
date= "2021-09-14"
description= "Coverage for CSD_Application.exe & IntelWifi.exe"
csd_application_hash= "84841490ea2b637494257e9fe23922e5f827190ae3e4c32134cadb81319ebc34 "
intelwifi_hash= "124023c0cf0524a73dabd6e5bb3f7d61d42dfd3867d699c59770846aae1231ce"
strings:
$header= "MZ"
$sig1 = "CreateNonStop" wide ascii
$sig2 = "LocIp" wide ascii
$sig3 = "MacType" wide ascii
$sig4 = "45.147.228.195" wide ascii
$sig5 = "qmquqsqiqcq.qmqpq3q" wide ascii
$sig6 = "secure256.net" wide ascii
$sig7 = "ver4.mp3" wide ascii
$sig8 = "x33117" wide ascii
condition:
$header at 0 and (3 of ($sig*))
}
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.
Comments are closed.