“During the course of ESET’s investigations,” announced the company this morning, “several leads were discovered that indicate the threat originates from India and has been going on for at least two years.”
The two infection vectors used in the campaign are the Microsoft Office CVE-2012-0158 vulnerability (also used in a separate 'mens health/military' campaign earlier this year), and PE files disguised as Word or PDF files. In the former, an analyzed example sent information about the system to the domain feds.comule.com, and then downloaded a malicious binary from digitalapp.org. In the latter example, opening an email attachment would download and execute additional malware, but would simultaneously display a Word document to lull the user’s suspicions.
ESET has found several different documents following different themes. “One of these themes,” says Jean-Ian Boutin in his blog posting, “is the Indian armed forces. We do not have inside information as to which individuals or organizations were really targeted by these files. However, based on our detection metrics, it is our assumption that people and institutions in Pakistan were targeted.”
A typical clue on the targets can be found in one of the self-extracting archive attachments. It is named ‘pakistandefencetoindiantopmiltrysecreat.exe’, and unpacks to provide a document headlined ‘While exposing India’s ambitious defence policy’ – a subject that would appeal more to Pakistan than India.
A major clue to the source of the campaign comes from a code-signing certificate used in part of the campaign. Although now revoked by Verisign, it was originally issued to an Indian company calling itself Technical and Commercial Consulting Pvt. Ltd.
The payloads delivered by the campaign were all “geared towards exfiltrating data from an infected computer to the attackers’ servers,” notes Boutin – but the stolen information was not encrypted when sent back to the attacker. This, he says, “is puzzling considering that adding basic encryption would be easy and provide additional stealth to the operation.”
This is one of the more puzzling aspects of the campaign. There are signs of some attempt to disguise the malware, but little that can be called ‘stealth’. For example, many of the malicious binaries add an entry to the Windows Startup menu using a deceptive name. “While this technique allows the different components of the attack to be launched after each system reboot,” says Boutin, “it cannot be labelled as stealthy. Since targeted attacks usually try to stay under the radar as long as possible, we were surprised to see this technique used in this case.”
This is the contradiction in ESET’s discovery. The campaign is extensive and long-lasting, yet unsophisticated. But, concludes Boutin, “maybe they see no need to implement stealthier techniques because the simple ways still work.”