Recently, we saw a tweet about a document claiming to be reporting about the recent  “Indian Election Results”. On analysis, we found that it was dropping a “Crimson RAT” payload. This RAT, mostly used by the Transparent Tribe APT, is capable of stealing credentials and other sensitive information. While checking the IOC’s related to this Crimson RAT, we also noticed that there was another Excel file which was disguised as “Syllabus of a University in Delhi”. 

This blog gets into the technical details of this document having a Crimson RAT payload.

Figure 1: Tweet

Transparent Tribe APT

Transparent Tribe, a group believed to operate out of Pakistan, has been active since 2013. Their primary focus is on infiltrating diplomatic, defence, and research entities located in India and Afghanistan. This time election results were used as a bait to target Indian netizens.

Technical Details

The initial vector was a .docm file which has by default macro enabled setting. This document file contains embedded files, which includes the “Crimson RAT” payload and the Election results document.

Figure 2: Embedded files

After extracting the macro contents from the document using olevba, it copies the files into the folder named Data(sec)(min).

Figure 3: Copies the files to appdata

Here, it checks for the Office version and decodes the embedded files using oleobject7, oleobject10 and oleobject11. All the three files contain a base64 encoded zip file having the “Crimson RAT” payload.

Figure 4: Checks for Office version

In the revdbndfile function, it reads contents of one of the oleobject.bin and converts it into a string. The Decabav6f function (seen in Fig 5) is used to convert the base64 encoded string into a byte array by setting its datatype as base64. The BirvTrving function (seen in Fig 5) is later used to convert it back into a string by iterating through each byte.

Figure 5: Base64 decoding

After decoding the base64 string, it is written to the Appdata folder. It then copies and decompresses it into the Documents folder as a screensaver file “hacrvidth vibev.scr” and executes it.

Figure 6: Payload (Crimson RAT)

Simultaneously, it executes another embedded doc file(oleobject3.bin), which is actually the decoy file having the election results of Uttarakhand.

Figure 7: Loading embedded decoy 
Figure 8: Decoy file content

As said, another Excel file disguised as the syllabus of a university also drops the same Crimson RAT. Here is the content of the decoy file.

Figure 9: Syllabus decoy

Crimson RAT

The payload, on execution, sleeps for about 25 minutes, so as to hinder sandboxing. It then adds a run registry of the current user with a random hardcoded name for persistence.

Figure 10: Sleep call
Figure 11: Run registry persistence

Once again, it sleeps for about 20 minutes before it tries to connect to its C2 from the hardcoded domain and IP. If the payload does not connect to the attacker, the process exits.

Figure 12: Second sleep call
Figure 13: Hardcoded C2

On connecting to the C2 server, the command and data to the process (getsEtype Func) are sent. The malware then modifies the commands by inserting an integer value 5 before the 4th character and executing the code by comparing with the received commands. If the attacker sends a null command, the process exits.

Figure 14: Modified C2 commands

 These are the following C2 commands which could be executed.

thy5umbSends the picture back to c2 in gif
gey5tavs, pry5oclGets the list of all running process
scy5uren, scy5ren, scyr5en, scyu5ren, cdy5crgn, csy5crgn, csy5dcrgnTakes a screenshot and sends it back in jpeg
puy5tsrtCreates a run registry key
doy5wfWrites data into a file from the given path
diy5rsRetrieves the list of Drives in the system
fiy5lszGets info of a file from the system
iny5foGets the OS info, User Domain and Username info.
liy5stfGets the file path and file info from all the sub directories which has extension, from the given path
fly5esCheck for the files in the given directory
ruy5nfAbility to run commands
udy5ltWrites data into the file(itaivsasidr.exe) in the same folder as this file(Document folder)
fiy5le, afy5ileSends the contents of a file which path was given
dey5ltDelete a file in the given path
doy5wrWrites data into a file from the given path
fly5drCheck for the sub directories from the given directory

By using these commands, they can access all the files, pictures, system info, the running processes from the system. It also has the capability to delete the files in the system and also to download additional payloads and execute them.

The discovery of malware disguised as a “Lok Sabha Election Results” document from India, underscores the tricky strategies employed by cyber attackers. As cyber threats continue to evolve, staying informed and proactive is essential to protect against such deceptive and potentially disruptive attacks. At K7 Labs, we provide robust detection for these RATs and other day-to-day threats. We recommend using a dependable security solution like “K7 Total Security” and keeping it up-to-date to safeguard your devices effectively.

IOCs

Malware TypeHashDetection name
Election Lure4473b78e67067a9299227cc02b8e28e2Trojan ( 0001140e1 )
Syllabus Luread90e16ea4a9fe11525da7669cb4b8eeTrojan ( 0001140e1 )
Crimson RATe6f4bb8ed235f43cb738447fbf1757c3Trojan ( 005b635b1 )
Crimson RATda2331ac3e073164d54bcc5323cf0250Trojan ( 005b67de1 )
Crimson RATa54c435bdbc17608fa0b8826bbe9936dTrojan ( 005b67de1 )
Crimson RAT7a18b1bf9b07726327ba50e549764731Trojan ( 005b635b1 )
Crimson RATd6b38a2272876d039d48b46aa874e7b9Trojan ( 005b67de1 )
Crimson RATf49375748b279565b5aed83d9ee01eb2Trojan ( 005b635b1 )

C2

Domain: waqers[.duckdns[.com

IP: 94.72.105.227

Decoy

Election Decoy – 24fc6cacfbf0f87d2a24be7361c78c76

Syllabus Decoy – 4166a122e5eac964ba9f4b22e2881052

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “Threat actors target recent Election Results”