Yesterday, Matthew Meltzer, Sean Koessel, and Steven Adair @ Volexity released an excellent write-up on the Indian APT group known as Dropping Elephant. The Volexity article detailed attacks against US think tanks, IOC’s, and network based indicators. We have looked into the spear phishing attack with the access we have in ProofPoint via our MalNet project to provide any other visibility or insight into the work Volexity had already documented.
Here is what was Found.
Additional Network Observations
CnC QuasarRAT malware related to sastind-cn.org / 220.127.116.11 had a tagging of being first seen on or around 03/10/18 relating to the two sample MD5 be550349fb4bb2277822554fc243f0a3 and 2d8e9fb75e6e816cad38189691e9c9c8 (Note – This sample identified in Volexity writeup as mico-adio.exe).
Network traffic related to this sample was limited, but it should have triggered on the ETPro signature “ETPRO POLICY External IP Lookup Domain (freegeiop .net in DNS lookup)” while attempting to also lookup freegeoip.net (this is somewhat benign in the sea of IDS alerts, but if you are looking for indicators in your logged DNS requests this may be helpful.)
CnC Delphi RAT malware related to ebeijingcn.live had first been seen on or around 3/8/18, with what looks to have been 3 different campaign versions that we could observe.
– Campaign #1 (3/18/18) with MD5 f396b476413558266f3abd336e06cbfc,
– Campaign #2 (03/16/18) with MD5 5c3456d5932544b779fe814133344fdb (Identified in Volexity write-up as vsrss.exe) and
– Campaign #3 (03/23/18) with MD5 89beb207e7095d237c4d25c4c6e17e97 (Identified in Volexity write-up as Armed-Forces-Officers.doc).
Network based indicators relating to Campaign #2 (MD5 c3456d5932544b779fe814133344fdb) and Campaign #3 (MD5 89beb207e7095d237c4d25c4c6e17e97) both triggered on the network based IDS signatures “ET TROJAN W32/Patchwork.Backdoor Communicating with CnC, sid 2025163” (updates for this pushed 05/11/18). Something to look for in your logs as an indicator.
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Patchwork.Backdoor Communicating with CnC"; flow:established,to_server; content:"POST"; http_method; content:".php?cx="; http_uri; nocase; fast_pattern; content:"&b="; http_uri; nocase; distance:0; content:">="; http_uri; nocase; distance:0; content:"&tx="; http_uri; nocase; distance:0; pcre:"/\.php\?cx=[A-F0-9]+&b=[A-F0-9]+>=[A-F0-9]+&tx=[A-F0-9]+$/Ui"; http_content_len; content:"0"; metadata: former_category TROJAN; reference:md5,ddeabe234c4084ba379cf3be4fdf503d; classtype:trojan-activity; sid:2025163; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_21, updated_at 2018_05_11;)
Additional information on the CnC QuasarRAT malware related to tautiaos.com / 18.104.22.168 revealed a first seen campaign related with MD5 9e4c373003c6d8f6597f96fc3ff1f49c on 02/09/18. Private signatures provided by Proofpoint / ETPro related to “ETPRO TROJAN Xtrat/xRAT CnC DNS Lookup (tautiaos .com)”.
Looking at historical IDS signatures listed above or recursive DNS logs may help find if you had been compromised by some of these actors.
Please email us if you would like the full Maltego file.
With extensive experience in defensive and offensive security, Daniel has been a quiet trailblazer in digital intel-gathering long before cyber intelligence became a discipline. More than a decade ago he was inventing and applying his own intelligence tools in support of companies and governments around the world facing urgent threats. Using this deep understanding of web technologies and the behaviors of cybercriminals, he has enhanced, updated and packaged these tools under ShadowDragon.
Daniel is a member of the Odonata Holdings, Inc.