Background on gangs
Mysterious Elephant , a South Asian APT group named by foreign security vendor Kaspersky in the Q2 2023 APT Trends Report[1]. The new backdoor ORPCBackdoor attributed to the Bramble Blossom (Bitter) group, which had been disclosed by a domestic friend, appeared in Mystic Elephant's attack campaign[2, 3] , and given the possible differences in attribution, the friend also chose to track the group using the ORPCBackdoor backdoor by assigning it a new number different from that of the Bitter group. According to current public information, the Mysterious Elephant group is associated with several APT groups in South Asia, and especially resembles the Bitter group's attack methods. The group's targets include Pakistan and other countries.
Overview
QiAnXin Threat Intelligence Center recently found a batch of special CHM files, in which the script content of the html file is very simple, just executing an external file (such as "UsoCoreService" in the figure below). Since the CHM script itself does not contain obvious malicious code, these samples have a very low number of reports on VT.
CHM samples with image decoys, combined with the ".pdf.chm" double extension in the file name disguised as a PDF file, the decoy content is related to Pakistan, Bangladesh, Myanmar and other South Asian countries, involving government agencies, military, diplomatic, economic and other industries. In the sample correlation process, we also found that the attackers imitated the red team's approach to phishing samples, the bait content indicates that the target of the attack for the Pakistani defense and military departments.
The external file executed by CHM is actually a backdoor written in C#, and the backdoor code is similar to the malicious samples involved in a report[4] that disclosed the Bitter group's attack arsenal. The server used to host the attack weapons mentioned in this report (libraofficeonline[.] com) is also associated with Mysterious Elephant, and some of the attack weapons hosted there are the same Mysterious Elephant malware that has been disclosed at[5] (including ORPCBackdoor, WalkerShell, DemoTrySpy, and others).
Due to the intricate connections between APT groups in South Asia and the different tracking horizons of multiple security researchers, there is currently no consensus in the industry on whether to distinguish Mysterious Elephant from Bitter. In order to avoid introducing more disagreements, this paper argues that these particular CHM attack samples and C# backdoors are likely to come from the Mysterious Elephant group based on the similarity of the malicious samples.
Detailed analysis
The CHM sample information is as follows, some of which have been previously disclosed by other security researchers[6~8] .
| - | - | - |
|---|---|---|
| MD5 | filename | Decoy Theme |
| 3df2d899d6d8d827adf2d92c91b3b32b | Upcoming high level visit from China.pdf.chm | Possible outcomes during China's visit to Pakistan |
| b38aca4f2d80484d5523f1eada9afe76 | STRATEGIC RESTRAINT REGIME IN SOUTH ASIA.pdf.chm | Pakistan-India relations |
| 75ee4f79a3ed4137a918888482ded6a1 | defoffsetpolicy.pdf.chm | Pakistan Defense Policy |
| 8e2377022b80cdc51d2c98bbf0c9d313 | Myanmar Ship Clearance OM-2209.pdf.chm | Myanmar naval vessel requests to sail into Bangladeshi waters |
| 2f7ee7c1c75fbfdc1d079fcc6e325d19 | PM Thanks Letter FAO Xi an Pak.pdf.chm | Letter of appreciation following the mission to Pakistan |
| 19b767974205b66a12a28ccdb69943ed | Talking Points IAEA GC 2024.pdf.chm | Highlights of China-Pakistan bilateral meetings |
| aeb0b7e40f12ba093ff523fc124383ae | Bilateral Cooperation Pakistan China.pdf.chm | Pakistan-China bilateral cooperation |
| 1645f406ab4e0d54e477330473c76664 | SR ICT 030924.pdf.chm | Pakistani military |
| d0030f5411698bb65f1cd281c5d302bc | 26082024_DSR_No.pdf.chm | Report of the Islamabad Police Department, Pakistan |
| 232bb5b436c0836370fde34ca7b7138a | A Letter of China Development Bank.pdf.chm | Letter from China Development Bank |
| f26435785dd856ddb1fbcc682547aab0 | CAPSTONE Course 2024.pdf.chm | Documents of the Government of Bangladesh |
| 68d458d1df36eaf885116a1b6801ab42 | Notice EC10 Power.pdf.chm | Pakistan Special Investment Promotion Commission (SIFC) Meeting on Power Sector |
Pictures of some of the decoys are shown below:
The relevant C# backdoor information is below:
| - | - |
|---|---|
| MD5 | Filename |
| 27ac8eb519679530999e786281e9a578 | FileViewer.exe |
| 115fb536e981c87873b0f35cb0059d93 | STRATEGIC_RESTRAINT_REGIME_DETAILS.exe |
| 4e8e1339f9754d8d2c5f74cb03f44fbb | Guidelines_on_Offset_Program.exe |
| 00f2df1829893caa85f3968961b6e736 | UsoCoreService.exe |
| a59fe2c89b0000a360a8468f2b990c73 | IAEA_GC_2024.exe; Bilateral_Cooperation.exe |
| a3a06d50438681fc9917e22c41bd2cab | SR_ICT.exe |
| 316e8d798f7db625c207532e2f7a5d38 | Annexure.exe |
| 616b29bd9e20fc032bc54acd5ed8aff0 | RuntimeIndexer.exe |
| ee64e70388e422dd9a620c3d18613268 | RuntimeIndexer.exe |
Fishing sample construction
According to the disclosed sample[8, 9] , the attacker delivers the phishing sample by encrypting the zip archive. Both the CHM file and the C# backdoor are present in the zip archive, but the C# backdoor is set with the file hidden attribute, which leads to the victim can only see the CHM file after unzipping. Even though some security-conscious victims will scan the CHM file with antivirus software, the CHM file itself is likely to be judged as safe since it does not carry much malicious script, which in turn allows the victim to directly open the decoy CHM file and launch the hidden C# backdoor.
C# backdoor
The C# backdoor uses Task asynchronous programming, part of which is shelled by ConfuserEx. The function is relatively simple, mainly executing cmd commands issued by C2 server, and some backdoors also support other attack commands.
Get C2
C# backdoors obtain C2 server information in different ways, including the following.
(1) C2 server information is hardcoded directly into the code.
(2) Decryption from configuration file.
For example, 00f2df1829893caa85f3968961b6e736 and 316e8d798f7db625c207532e2f7a5d38 both read the SysConfig.enc file in the same directory, and then decrypted with AES to get the information of C2 server.
(3) Disguised as a legitimate-looking web service access request, parsed from the contents of the remote server response.
Using a3a06d50438681fc9917e22c41bd2cab as an example, the GetIpInfo function requests "hxxp://easyiplookup.com:5080/main/get_ip_data?userId=zqlCYqgp4f& ip=8.8.8.8"
The content was extracted from the RequestId field of the response content and base64 decoded to get the C2 message "91.132.92.231:5959". In addition to port 5959, port 6060 from the same IP (91.132.92.231) was also found to be passed as a C2 message to the C# backdoor. In this way, the attacker has the flexibility to change the IP address and port of the C2 server to which the backdoor actually connects.
The easyiplookup.com domain appears to be running an IP lookup service on port 80, and the web script custom.js calls the fetchIpInfo function to get the visitor's IP information from ip-api.com and display it on the page. Clicking on the IP lookup button "Lookup" on the web page and submitting the form accesses the same URL as the backdoor request for C2 information ("hxxp://easyiplookup.com:5080/main/get_ip_data "), indicating that the site is under the attacker's control.
Other C# backdoors that get C2 information in the same way are:
| - | - |
|---|---|
| MD5 | 4e8e1339f9754d8d2c5f74cb03f44fbb |
| Request URL | hxxp://winfreecloud.net:6396/athena/identification?name=f0inqMaHra&addr=6.5.6.2 |
| C2 information obtained | 162.252.175.131:8246 |
| - | - |
|---|---|
| MD5 | 115fb536e981c87873b0f35cb0059d93 |
| Request URL | hxxp://winfreecloud.net:6396/athena/identification?name=9az1g3qdYp&addr=9.9.9.9 |
| C2 information obtained | 46.183.186.208:6060 |
Both winfreecloud.net and easyiplookup.com resolve to the same IPs (151.236.9.75 and 84.32.84.32).
Backdoor Function
The backdoor connects to the C2 server and uses the hostname and username of the infected device as victim identification information.
Most backdoors only function as remote command execution or create cmd.exe shells that are used by attackers for subsequent operations.
Some backdoors also support other C2 commands.
Sample a59fe2c89b0000a360a8468f2b990c73 supports the following C2 instructions.
| - | - |
|---|---|
| C2 Instruction Code | Functionality |
| dir | Lists filenames and subdirectory names in the specified directory |
| cat | Read the contents of the file |
| copy | Reproduction of documents |
| whoami | Show user name |
| upload | Uploading files |
| tasklist | List all process information and corresponding executable file paths |
| schtasks | List the names and descriptions of all scheduled tasks |
| download | Download file |
| systeminfo | Get system information, including system version, serial number, free physical memory size |
| else | command execution |
Sample 27ac8eb519679530999e786281e9a578 supports the following C2 instructions.
| - | - |
|---|---|
| C2 Instruction Code | Functionality |
| dir | Lists filenames and subdirectory names in the specified directory |
| copy | Reproduction of documents |
| upload | Uploading files |
| download | Download file |
| else | command execution |
Traceability
Linked samples
The backdoor sample 316e8d798f7db625c207532e2f7a5d38 also appeared in another zip file, decrypting the C2 message 46.183.187.42:443 from the configuration file SysConfig.enc.
| - | - |
|---|---|
| MD5 | b28bb7cabfb12e9bc5b87692b065c83a |
| Filename | Islamabad_Security_Dialogue_Pub.rar |
A phishing sample with a similar directory structure to the zip can be associated based on a file in the zip, filename.lnk (MD5: ae55cb4988f2f45197132631f5a86632), which does not seem to play a role.
| - | - |
|---|---|
| Serial Number | MD5 |
| 1 | 3b669279c534987d6d7cab08d85df55a |
| 2 | 432230af1d59dac7dfb47e0684807240 |
| 3 | 865483fea76242e687aa9e76b1a37f28 |
| 4 | af669dfa074eb9b6fda3fd258f58e2d2 |
| 5 | 7728fee377137e83e9bd1c609cc166c0 |
| 6 | dad7d9528e9506ebd0524b3ebd89ddf2 |
The above correlation samples can be divided into two categories. Samples 1~4 use resume documents as bait, and the backdoor is written in C++, using Tencent cloud service as C2, which belongs to the attack samples of the domestic red team.
The decoy PDF content of samples 5 and 6 is related to Pakistan's military defense, and the C# backdoor (MD5: 5e7dba4aafb8176ab026e2f4aa3211dd) code is the same as the backdoor related to the CHM file mentioned earlier, and the information of the connected C2 server has been obtained from the configuration file "license" through AES decryption. license". Both zip files have the same configuration file, and the C2 is 158.255.215.115:443.
Based on the upload times of these samples on VT and the file timestamps in the zip archive, we believe that the attackers mimicked the production of attack samples targeting Pakistan based on the publicly available Red Team phishing samples.
Attribution of attacks
The C# backdoor is similar to the one mentioned in report [4] on the libraofficeonline[.] com server on the op directory hosting a similar malicious sample.
As an example, the backdoor a59fe2c89b0000a360a8468f2b990c73, the malware in the op directory that is similar to this sample is shown in the table below, the similarities include the use of Task asynchronous programming, sending the machine name and username to the C2 server as a victim identifier, and the use of similar function names and output message strings.
| - | - |
|---|---|
| Similar filenames | MD5 |
| figlio.exe | 25e5d1790f61e6a45720da0a500be131 |
| SearchApp.jpg | 16c33dbd1d7f6f98827e14f9d6d918e7 |
| sparrow.jpg | b7289c3f37a4305b4d6898f2e71fbb2c |
The report [4] attributes libraofficeonline[.] com to the Bitter group, and some of the malware hosted on that server is the Mysterious Elephant group attack weapon disclosed by other security vendors[5] .
| - | - |
|---|---|
| Filename | MD5 |
| page/MicrosoftEdge.msi | 6ff3f0a2f7f1ec8a71bed37496e2e6fa |
| msas.msi | 7dc1d21554dce36958614817e3f531e6 |
| msws.msi | c13c4c025c5c779d5dc8848ef160d5da |
| Hazel.exe | 1ad818406f06d1cb728b5d0f324fb3b5 |
| Pro-CLA.exe | 79ed88fa92f87bf8f36ed98c44436472 |
| GOG.exe | 36edd4fe5ee415f81e2ef8da75f23734 |
| Gogo.exe | 4b6b8135c2d48891c68cc66cd9934c40 |
| Nix.exe | eb9cd31960e3bc9da5a3a03cd0055180 |
Since ORPCBackdoor was initially considered as a new backdoor of the Bitter group, some domestic and international security vendors later tracked the group using ORPCBackdoor as a new group, Mysterious Elephant, which may be the reason for the inconsistency in the attribution mentioned above. In order to be consistent with previous open source reports disclosing ORPCBackdoor's attack activities and to avoid introducing more disagreements, this paper concludes that the CHM file and C# backdoor targeting multiple countries in South Asia probably originated from the Mysterious Elephant group.
Summary
The CHM samples associated with this attack campaign targeted Pakistan and Bangladesh in the South Asia region, involving government agencies, defense and military, and diplomatic sectors. The attackers used a less common attack tactic with the help of CHM samples, where the CHM file directly launches an external file with no other malicious code. The external files associated with the CHM were C# backdoors, a portion of which disguised requests for C2 address information as access to seemingly legitimate web services, and then parsed the C2 address from the response results. The attackers had also mimicked a sample Red Team attack and used the same C# backdoor in it. The above indications suggest that the attack group has been experimenting with different attacks and trying to camouflage the attack activities carried out.
Protection recommendations
QiAnXin Threat Intelligence Center reminds users to beware of phishing attacks, do not open links from unknown sources shared on social media, do not click on email attachments from unknown sources, do not run unknown files with exaggerated titles, and do not install apps from unofficial sources. do timely backup of important files and update and install patches.
If you need to run and install applications of unknown origin, you can first use the QiAnXin Threat Intelligence File Depth Analysis Platform (https://sandbox.ti.qianxin.com/sandbox/page) to make a judgment. Currently, it supports in-depth analysis of files in various formats, including Windows and Android platforms.
Currently, the full line of products based on the threat intelligence data from the QiAnXin Threat Intelligence Center, including the QiAnXin Threat Intelligence Platform (TIP), SkyRock, SkyEye Advanced Threat Detection System, QiAnXin NGSOC, and QiAnXin Situational Awareness, already support the accurate detection of such attacks.
IOC
MD5
(CHM)
3df2d899d6d8d827adf2d92c91b3b32b
b38aca4f2d80484d5523f1eada9afe76
75ee4f79a3ed4137a918888482ded6a1
8e2377022b80cdc51d2c98bbf0c9d313
2f7ee7c1c75fbfdc1d079fcc6e325d19
19b767974205b66a12a28ccdb69943ed
aeb0b7e40f12ba093ff523fc124383ae
1645f406ab4e0d54e477330473c76664
d0030f5411698bb65f1cd281c5d302bc
232bb5b436c0836370fde34ca7b7138a
f26435785dd856ddb1fbcc682547aab0
68d458d1df36eaf885116a1b6801ab42
(C# backdoor)
27ac8eb519679530999e786281e9a578
115fb536e981c87873b0f35cb0059d93
4e8e1339f9754d8d2c5f74cb03f44fbb
00f2df1829893caa85f3968961b6e736
a59fe2c89b0000a360a8468f2b990c73
a3a06d50438681fc9917e22c41bd2cab
316e8d798f7db625c207532e2f7a5d38
616b29bd9e20fc032bc54acd5ed8aff0
ee64e70388e422dd9a620c3d18613268
(zip)
b28bb7cabfb12e9bc5b87692b065c83a
7728fee377137e83e9bd1c609cc166c0
dad7d9528e9506ebd0524b3ebd89ddf2
C&C
162.252.172.67:443
95.156.206.105:443
46.183.187.42:443
158.255.215.115:443
91.132.92.231:5959|6060
162.252.175.131:8246
46.183.186.208:6060
URL
hxxp://easyiplookup.com:5080/main/get_ip_data
hxxp://winfreecloud.net:6396/athena/identification
Reference Links
[1]. https://securelist.com/apt-trends-report-q2-2023/110231/ [2]. https://paper.seebug.org/2075/ [3]. https://paper.seebug.org/3000/ [4]. https://strikeready.com/blog/open-sesame/ [5]. https://mp.weixin.qq.com/s/Uf708Khax2rJaUhNo1Mz1Q [6]. https://www.securonix.com/blog/analysis-of-phantomspike-attackers-leveraging-chm-files-to-run-custom-csharp-backdoors-likely- targeting-victims-associated-with-pakistan/ [7]. https://x.com/StrikeReadyLabs/status/1834599289391108556 [8]. https://x.com/__0XYC__/status/1843593304010813479 [9]. https://x.com/__0XYC__/status/1800129922054447220