In early 2012, a client contacted us with suspicious-looking emails that he had received. There were two emails received by the client. While we completed the investigation and submitted the report to the customer at that time, we never took the case forward. However, when the Norman Hangover report was published it rang a few bells, and we decided to take a deeper look at the malware samples we had collected and do a more detailed analysis once again.
While the report has been kept confidential and shared with Indian law enforcement agencies, the conclusions and some of the threat indicators are given below:
- We believe that this was malware written specifically from a corporate espionage perspective.
- The malware isn’t really all that smart. It uses 2010 CVEs to exploit victims in 2011-2012. However, this does say a lot for the general levels of security awareness given the number of people infected
- The affected entities discovered during our analysis are all Indian – hospital in Goa, visa facilitation agency in Bangalore, tax/account consultant, textile trading company, etc.
- The attacks also are Indian-flavored (with email attachment names of Loop Mobile Bill, Terrorists wanted by Delhi police, etc.).
- The attacks are targeted – my client did in fact use a mobile plan from Loop Mobile.
- One of the C&C IP addresses belongs to Tata Communications – an Indian ISP.
- Though the string “appin” occurs in the names of a number of files hosted on the C&C server as well as tools authored by Appin (aMatrix and aMiner) are found on the server, the link with Appin Security Group is not concrete. It is in Appin’s best interest to cooperate with Indian Law Enforcement Agencies to investigate whether it is someone trying to malign their name or misusing their tools or ex-employees who have gone rogue.
- It is in the interest of Law Enforcement Agencies to take this ahead and investigate along the following lines:
- Who had registered the IP address 202.54.157.152 (Tata Communications)
- Who had registered the domain heritage-society.com
- Who are “chirag” and “yash”?
- Who owns the email ID allmail.moniter@gmail.com and others noted in the report
- Who are the Indian entities compromised – we have their public IP addresses, if not their names
- Is this a one-off issue, or part of a larger corporate espionage exercise carried out by rogue group/organization?
We have offered to share evidences and details with law enforcement agencies to take it ahead.
Indian APT - the Hangover Effect - Full Report - Checkmate
[…] an earlier blog post I had published the summary of our findings of a malware analysis done, which had a number of […]
OffSec.ru
Hi there to every , because I am actually eager
of reading this webpage’s post to be updated regularly.
It includes pleasant material.