Curious tale of 8.t used by multiple attack campaigns against South Asian countries

Niranjan Jayanand/Microsoft

This research paper would cover long running multiple attack campaigns targeting South Asian officials mainly working in Government, Oil, Media, Maritime, defense contractors, universities (particularly those with military research ties), legal organizations. The main motivation behind these waves of attacks is Espionage aligned with commercial and South China Sea issues for Intellectual property theft and military espionage.

Attackers perform multistage attack techniques to target their victims during their attack campaigns. During their Reconnaissance stage, they collect lot of information like software and applications that are vulnerable at customer end. Over the past few years, attackers have been using poisoned Microsoft Office documents as one of their favorite infection vectors for Cybercrime and Cyber Espionage attacks. It doesn’t take much time for malware authors to integrate novel techniques into their own Exploit Kits and attack ordinary users. Attackers quickly adopt most of these application CVEs.

In the interesting campaigns we analyzed, it was identified that multiple targeted attack hitting South Asian countries were using Microsoft Office vulnerabilities namely CVE-2017-11882, CVE-2017-0199 and CVE-2017-8759. From a public blog, it was also reported that a unique object dimension present in RTF phishing files weaponized with CVE-2017-11882 and CVE-2018-0802 which appear to be utilized in these attacks. The identified RTFs all share a unique object height and width, which determine how the object will be rendered in Microsoft Word. We used this to expand our research to track multiple campaigns.

Once the victim executes the poisoned Microsoft Office files, the shellcode that decrypts the final payload in memory were all identified to use one constant file name “8.t” across all the campaigns. Some of the identified payloads are NewCore RAT, Hawkball Backdoor, Fucobha, QCRat, PlugX, htpRAT and an unnamed RAT. Most of these Remote Administration Tools relied on DLL Side Loading technique to survive on reboot. It is very rare to see possibly multiple targeted attack campaigns to use same shell code name and two different shell code decryption logics to drop and execute final RAT payload on victim machines, across all these identified different APT campaigns. It was also identified that attackers come back to target almost same Victim organizations in South Asian countries over this time. At certain time, different campaigns likely had an infrastructure overlap.

Attackers continued using the same trends and traits with minimum modification to target same victims, regions and sector, which makes us belief that possibly they shared TTPs, codes and infrastructure to steam Intellectual data from Victim organizations. Many filenames and attacker command and control domains collected during the investigation, used themes related to Victim country current affairs or organizations.

November 7 at 11:40 - 12:00, Stage A

Niranjan Jayanand Experienced Principal Threat Intelligence Analyst with a demonstrated history of Threat group hunting , Reverse Engineering, Yara, Anti virus signature creation and Threat report writing for customers. Over 60 plus proactive hunting and reporting of MENA origin threat attacks and PRC origin attacks ahead of competitors. Sound knowledge on leveraging and pivoting through internal telemetry data. Currently working as Threat Intelligence Manager at Microsoft.