March 31, 2021
-
Anomali Threat Research
,

Bahamut Possibly Responsible for Multi-Stage Infection Chain Campaign

<p>Authored by: Gage Mele, Tara Gould, Winston Marydasan, and Yury Polozov</p> <h2>Key Findings</h2> <ul> <li>Anomali Threat Research discovered cyberthreat actors distributing malicious documents exploiting a vulnerability (CVE-2017-8570) during a multi-stage infection chain to install a Visual Basic (VB) executable on target machines.</li> <li>This exploitation creates a backdoor that appears to only retrieve an infected machine’s username, possibly indicating reconnaissance activity.</li> <li>We assess with low confidence, based on limited technical intelligence and targeting consistent with previously observed activity, that the advanced persistent threat (APT) cyberespionage group known as Bahamut may be responsible for this campaign.</li> <li>Bahamut is a “group for hire” and typically targets entities and individuals in the Middle East and South Asia with spearphishing messages and fake applications as the initial infection vector.</li> </ul> <h2>Overview</h2> <p>Based on a discovery in mid-February 2021, Anomali Threat Research assesses with low confidence that the APT cyberespionage group-for-hire Bahamut has been conducting malicious activity against multiple targets since at least June 4, 2020. While researching malicious files, our researchers analyzed a .docx file (<strong>List1.docx)</strong> that contained a shared bundled component with another .docx file that was communicating via template injection with <strong>lobertica.info</strong>, a domain previously attributed to Bahamut.<sup>[1] </sup>Further analysis of this file and the infection chain it follows is provided in subsequent sections below.</p> <p>The header dates of a template injection domain (<strong>lobertica.info/fefus/template.dot</strong>) contacted by <strong>Screeshot from NACTA Website.docx</strong> (including “Screeshot” spelling error) indicated malicious activity dating back to at least June 4, 2020. The title of the document may be a reference to Pakistan’s National Counter Terrorism Authority (NACTA), which would be consistent with Bahamut’s previous targeting and geographical location. The June timeframe also aligns with Pakistan’s virtual meeting with the Financial Action Task Force (Groupe d'Action Financière) held on June 24, 2020, which resulted in keeping Pakistan on the financial grey list for terrorism funding.<sup>[2]</sup> Additionally, in June 2020, between the 9<sup>th</sup> and 15<sup>th</sup>, the United Arab Emirates (UAE) and Pakistan conducted repatriation flights for Pakistani nationals in the UAE. And, as of June 29, the UAE suspended passengers from Pakistan, until more COVID-19-related facilities could be created.<sup>[3]</sup> While the timing may be coincidental, sophisticated threat actors such as Bahamut are known to use real-world events as themes for targeted cyber campaigns. Historically, in December 2016, Bahamut reportedly targeted human rights activists in the Middle East with spearphishing attacks to deliver Android-based malware, this persisted through 2018, with the targeting of entities and individuals in Egypt, Iran, India, Pakistan, Palestine, Qatar, Tunisia, and the UAE.<sup>[4]</sup></p> <h2>Details</h2> <p>Anomali Threat Research identified malicious .docx files that exploit a remote code execution (RCE) vulnerability (CVE-2017-8570). The activity apparently began in June 2020 and continued through at least mid-February 2021. The actors used at least three files with generic names: <strong>List1.docx</strong>, <strong>List for Approval.docx</strong>, and <strong>report.doc</strong>, and one appearing to employ a NACTA theme with a typo: <strong>Screeshot from NACTA Website.docx</strong>. (Figure 1)</p> <p align="center"><img alt="Infection Chain" src="https://cdn.filestackcontent.com/gCaDvcMfSPqPEUwMQQD0"/><br/> <em><strong>Figure 1 –</strong> Infection Chain</em></p> <h2>Technical Analysis</h2> <p>Threat actors distributed .docx files with the objective of dropping a rich text format (RTF) file that began the infection process for additional malicious activity. Analysis of the .docx revealed a multi-step infection process.</p> <p>The graphic below displays the connection between the malicious files and actor infrastructure (see Figure 2). The .xml file at the top is shown as the bundled component that is contained inside other .docx files. The .docx files used template injection to download a file from a malicious domain. Next, we observed an .rtf file being dropped that contained multiple files with the objective to drop VB executables. The final layer in the chart shows the IP addresses we observed communicating with the malicious files.</p> <p align="center"><img alt="Malicious Infrastructure" src="https://cdn.filestackcontent.com/HZOXVftKRTuCFLyHwRAw"/><br/> <em><strong>Figure 2 –</strong> Malicious Infrastructure</em></p> <p align="center"><img alt="Self Signed Certificate on 185.175.158.227" src="https://cdn.filestackcontent.com/yoLnqE7hTBGida96lGyF"/><br/> <em><strong>Figure 3 –</strong> Self Signed Certificate on 185.175.158.227</em></p> <p>Figure 3 above shows a self-signed certificate on the IP 185.175.158.227, a method Bahamut has used in the previous activity.<sup>[5]</sup> Bahamut has also been reported to have a preference for utilizing the marketing email service MailKing.<sup>[6]</sup> The alignment of these data points, while not conclusive, further supports the assessment that this activity may be related to Bahamut.</p> <h3>DOCX Analysis</h3> <p><strong>Analyzed file – </strong>List1.docx</p> <p><strong>MD5 – </strong>3df18ecd55f8e267be39f6f757bcd5f0</p> <p>The analyzed document is a .docx file with an embedded RTF object from <strong>memoadvicr.com/kodec/report.doc</strong> (see Figure 4). The external target is placed in the ‘webSettings.xml.rels’ file, which will download the RTF file. As shown in Figure 4 the dropped file is called <strong>report.doc</strong>, which will be analyzed in the subsequent section.</p> <p align="center"><img alt="Embedded RTF Object" src="https://cdn.filestackcontent.com/n9BQTxaQhWJnY3KHe6y3"/><br/> <em><strong>Figure 4 –</strong> Embedded RTF Object</em></p> <h3>RTF Analysis</h3> <p><strong>Analyzed File – </strong>report.doc</p> <p><strong>MD5 – </strong>9dc1cdba6d5838f7984de89521f18ae8</p> <p>The analyzed document is an RTF file downloaded from a .docx file containing an obfuscated .sct file that exploits CVE-2017-8570 (RCE). Exploitation of the vulnerability allows execution of the .sct file that in-turn executes other files dumped from the RTF. Filenames contained in the RTF (shown in Figures 5-6) include: <strong>eisghfgh321.tmp</strong>, <strong>d.tmp</strong>, <strong>E.sct</strong>.</p> <p align="center"><img alt="OLE Package File Information for .tmp Files" src="https://cdn.filestackcontent.com/VcBzoz9QTfCNkjyFvuvB"/><br/> <em><strong>Figure 5 –</strong> OLE Package File Information for .tmp Files</em></p> <p align="center"><img alt="OLE Package File Information for. sct File" src="https://cdn.filestackcontent.com/5fWMCP6ESsJAspEWi5L1"/><br/> <em><strong>Figure 6 –</strong> OLE Package File Information for. sct File</em></p> <p>The obfuscated .sct file contents were mixed with unwanted comments and confusing variable names to inhibit static analysis. (Figure 7). But, once reconstructed with comprehendible variable names and stripped of random strings, we were able to construct a more comprehensible version of this .sct file (Figure 8).</p> <p align="center"><em><img alt="Obfuscated .sct File Contents" src="https://cdn.filestackcontent.com/yFHD9FgXR7OMAtVhmRj5"/></em><br/> <em><strong>Figure 7 –</strong> Obfuscated .sct File Contents</em></p> <p align="center"><img alt="Beautified. sct File Contents" src="https://cdn.filestackcontent.com/NfAMLL1TDK4Z9M4FZNWg"/><br/> <em><strong>Figure 8 –</strong> Beautified. sct File Contents</em></p> <p>With a better understanding of the .sct file, we determined that the script checks the existence of the dropped file within the %temp% folder of the victim machine. This is the file that dropped during the exploitation of the CVE-2017-8570.</p> <p>Next, the function routine <strong>readBinary</strong> reads the data in <strong>eisghfgh321.tmp</strong> and the script replaces the first two bytes with <strong>MZ</strong> and substitutes the last two zero bytes until <strong>eisghfgh321.tmp</strong> is molded into <strong>dwmm.exe</strong>. The executable is then dropped in the %PUBLIC% folder on an infected machine.</p> <p>The script again checks for the existence of this malicious executable in %PUBLIC% folder and, if it exists, the <strong>winword.exe</strong> process is killed to close the initially opened decoy document. Lastly, the executable - written in VB - functions as a backdoor on an infected machine. After decompiling the code, we found that the POST payload, <strong>dwmm.exe</strong>, is generated on-the-fly and dropped while communicating with the actor’s C2 via a POST request to the actor’s Command and Control (C2) server (see Figure 9).</p> <p align="center"><img alt="dxmm.exe POST Request" src="https://cdn.filestackcontent.com/dYucBijQy65SJYLhRUEN"/><br/> <em><strong>Figure 9 –</strong> dxmm.exe POST Request</em></p> <p>Analysis of the POST request shows that it will send back the username that was found located between “pt” and “tion,” as shown in Figure 10 below with <strong>brutal</strong> serving as the username.</p> <p align="center"><img alt="dxmm.exe POST Request Information" src="https://cdn.filestackcontent.com/HD3tYChQRuMNVk6JDG0w"/><br/> <em><strong>Figure 10 –</strong> dxmm.exe POST Request Information</em></p> <h2>Conclusion</h2> <p>Bahamut is a sophisticated APT group that utilizes anti-analysis techniques and multi-stage infection chains. Additionally, like many other APT groups, they employ social engineering and user interaction for the initial infection through spearphishing emails and messages. While we have identified many consistencies between this most recently discovered campaign and previously reported activity attributed to Bahamut, and the targeting appears to be consistent with Bahamut’s assessed interests, due to the lack of enough unique indicators of compromise or tactics, techniques, and procedures (TTPs) we can only assess with “low confidence” that Bahamut may be behind this activity. We will continue monitoring this group for additional malicious activity and provide details when appropriate.</p> <h2>MITRE TTPs</h2> <p>Application Layer Protocol - T1071<br/> Command and Scripting Interpreter: Visual Basic - T1059.005<br/> Data Staged: Local Data Staging - T1074.001<br/> Deobfuscate/Decode Files or Information - T1140<br/> Masquerading - T1036<br/> Obtain Capabilities: Vulnerabilities - T1588.006<br/> Phishing - T1566<br/> Phishing: Spearphishing Attachment - T1566.001<br/> System Information Discovery - T1082<br/> Template Injection - T1221<br/> User Execution - T1204<br/> User Execution: Malicious File - T1204.002</p> <h2>Endnotes</h2> <p><sup>[1]</sup> BlackBerry Research and Intelligence Team, “Bahamut: Hack-for-Hire Masters of Phishing, Fake, News, and Fake Apps,” BlackBerry, accessed March 9, 2021, published October 2020, https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf, 81.</p> <p><sup>[2]</sup> “Pakistan’s case not taken up ate FATF meeting: FO,” <em>Dawn</em>, accessed March 9, 2021, published June 27, 2020, https://www.dawn.com/news/1565473; “Pakistan needs legislation to meet three outstanding FATF benchmarks: Report,” <em>Hindustan Times</em>, accessed March 9, 2021, published March 2, 2021, https://www.hindustantimes.com/world-news/pakistan-needs-legislation-to-meet-three-outstanding-fatf-benchmarks-report-101614669450193.html.</p> <p><sup>[3]</sup> “Coronavirus: more repatriation flights from UAE to Pakistan announces,” <em>The National</em>, accessed March 10, 2021, published June 9, 2020, https://www.thenationalnews.com/lifestyle/travel/coronavirus-more-repatriation-flights-from-uae-to-pakistan-announced-1.1030914; “UAE suspends receiving passengers from Pakistan as of June 29 over COVID fears,” <em>Reuters</em>, accessed March 10, 2021, published June 28, 2020, https://www.reuters.com/article/us-health-coronavirus-emirates-pakistan/uae-suspends-receiving-passengers-from-pakistan-as-of-june-29-over-covid-fears-idUSKBN23Z0RM.</p> <p><sup>[4]</sup> Collin Anderson, “Bahamut, Pursuing a Cyber Espionage Actor in the Middle East, <em>Bellingcat</em>, accessed March 9, 2021, published June 21, 2017, https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/; Warren Mercer, et al., “Advanced Mobile Malware Campaign in India uses Malicious MDM - Part 2,” Cisco Talos Blog, accessed March 10, 2021, published July 25, 2018, https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; https://www.thaicert.or.th/downloads/files/A_Threat_Actor_Encyclopedia.pdf, 35; BlackBerry Research and Intelligence Team, “Bahamut: Hack-for-Hire Masters of Phishing, Fake, News, and Fake Apps,” BlackBerry, 5; Taha Karim, “IN THE TRAILS OF WINDSHIFT APT,” DarkMatter, accessed March 10, 2021, published August 2018, https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf, 13.</p> <p><sup>[5]</sup> BlackBerry Research and Intelligence Team, “Bahamut: Hack-for-Hire Masters of Phishing, Fake, News, and Fake Apps,” BlackBerry, 49.</p> <p><sup>[6]</sup> Ibid.</p> <h2>IOCs</h2> <p><strong>Domains and URLs</strong><br/> http://lobertica.info<br/> http://lobertica.info/fefus/<br/> http://lobertica.info/fefus/report.doc<br/> http://lobertica.info/fefus/template.dot<br/> http://lobertica.info/msoll/igtxpres.zip<br/> http://zovwelle.com<br/> http://zovwelle.com/opregftyro/ijkbfumnbvc.php<br/> http://memoadvicr.com<br/> http://memoadvicr.com/kodec/report.doc<br/> http://memoadvicr.com/dvsec/report.doc<br/> http://fastfiterzone.com/sdjfbjsgdlfvfd/gfdbvgfgggh.php</p> <p><strong>EXEs</strong><br/> 04e05054e9e4f1c6cba9292fcad9e06f<br/> 61639f301c4cdadfd6c4a696375bdc99</p> <h3>Files</h3> <p><strong>.docx</strong><br/> 68d0e326e18bd7ec50db011f9c119e25<br/> de1f5c8223505f7e8c64a4b852614b14<br/> 3df18ecd55f8e267be39f6f757bcd5f0</p> <p><strong>RTF</strong><br/> 9dc1cdba6d5838f7984de89521f18ae8</p> <p><strong>Scriplet</strong><br/> d3e989f44fe3065ec501fe7f0fc33c3e</p> <p><strong>Bundled</strong><br/> 11eb560d256383859b8135cfbbf98e30</p> <p><strong>IPs</strong><br/> 185.183.161.125<br/> 185.175.158.227<br/> 208.91.197.54<br/> 194.120.24.116<br/> 93.184.220.29<br/> 194.67.93.17</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.
__wf_reserved_heredar