Spear Phishing Campaign: Users Targeted via Pakistani Themed Documents

Security researchers at AlienVault have released details about Remote Access Trojans (RAT) being distributed via spear phishing campaigns. The documents being dispersed by email are reportedly “Pakistani themed,” and likely targeting users in that region.
Well known and easily obtained malware such as Netwire and Pony are used as the payloads. They are reportedly served from the following compromised domains: www.serrurier-secours.be and careers.fwo.com.pk . Some of the filenames of the malicious documents containing the malware include:
  • China-Pakistan-Internet-Security-LAW_2017.doc
  • Strategic Thinking on Ensuring Ideological.docx
  • Fazaia_Housing_Scheme_Notice_Inviting_Tenders.doc
  • PAFs first multinational air exercise ACES Meet 2017 concludes in Pakistan.doc
  • IDUF-01.doc
  • Pakistan Air Force Jet Crashes During Routine Operation
  • Sales_Tax.doc
  • Hajj Policy and Plan 2017.doc
Opening the document attached to the email could lead to privilege escalation, and/or allow the attacker to remotely execute code on the victim’s system. Additional technical details are available in AlienVault’s article.

Indicators of Compromise

CVEs:
  • CVE-2015-2545
  • CVE-2016-7255
Domain:
  • 0x0.ignorelist.com
URLs:
  • http://careers.fwo.com.pk/css/microsoftdm.exe
  • http://careers.fwo.com.pk/css/printer.exe
  • http://sandipuniversity.edu.in/list/87_Copy.docx
  • http://www.serrurier-secours.be/…/China-Pakistan-Internet-Security-LAW_2017.doc
  • http://www.serrurier-secours.be/…/PAF%e2%80%99s%20first%20multinational%20air%20exercise%20ACES%20Meet%202017%20concludes%20in%20Pakistan.doc
  • https://www.serrurier-secours.be/…/Fazaia_Housing_Scheme_Notice_Inviting_Tenders.doc
  • https://www.serrurier-secours.be/…/Hajj%20Policy%20and%20Plan%202017.doc
  • https://www.serrurier-secours.be/…/Pakistan%20Air%20Force%20Jet%20Crashes%20During%20Routine%20Operation.doc
  • https://www.serrurier-secours.be/…/Sales%20-%20Tax%20&amp
File Hashes:
  • 027E4C6C51E315F0E49F3644AF08479303A747ED55ECBA5AA0AE75C27CD6EFEB
  • 81E518E094D597965F578F6F42C22C363450E8FB8D33C0A9568254CA048C15E6
  • 096012A5A9CF483FE0BDCD5A1030CC4D85B8E5296609FDC3632F2337A897A394
  • 291CA9E4AA9DB88635A89CB58F8DBF49E60ABDDBBCEC1C4A611EF4192BFC6D24
  • 2BE03E829856AD2FF772BA1F5074D4EAFBF3ECAB8D97794D1CC6589E043E3A28
  • 2E219FC95D7B44D8B0E748628E559A9EC79A068B90FE162B192DAA8CF8D6F3EE
  • 40E9287FF8828FB0E6BAEDCFF873E8E35520C6227200F1C84B63446F07A59289
  • 48463E268ACB50FFBCB27EAFF46F757486A985FFC2D10F35AE1B9422660A20D2
  • 4BA13ADD1AA8AE3FFFCB83F9B0990A6CD8B8912FC0E26811D0211F72AAAA7C79
  • 82CE7DFFEF284571CA21EB240869148B7F3583D9CB95EBDC42C77536DCCC9060
  • 855AD4DCB9C5502D6EF73528704046CACF006770FD4AF23259CB33E7577CD205
  • F110283C4E459CC20E908267D88EDBA26E2135BCB7D7335CABBED1A128EDEB86
  • A70CACC8BFFFC4A67171122FC424ED95FC3F89BC592D7489AACC666E5834F571
  • A8FA4C806D97E59DB0C42B574558A68942EADFE56286A66D90A8F6248A34CF43

Yara Rule

rule Pakistan_atomic_comission_dropped_dll
   {
   meta:
   description = “Pakistani Atomic Energy Commission Spearphishing dropped DLL”
   author = “Jose M Martin”
   date = “2018/07/10”
   hash = “027e4c6c51e315f0e49f3644af08479303a747ed55ecba5aa0ae75c27cd6efeb”
   strings:
   $s1 = “ExploitTagMenuState start” fullword ascii
   $s2 = “ExploitTagMenuState end” fullword ascii
   $s3 = “DonorThread start” fullword ascii
   $s4 = “EscalateThread start” fullword ascii
   $s5 = “EscalatePrivilegesOld start” fullword ascii
   $s6 = “EscalatePrivilegesWow” fullword ascii
   condition:
uint16(0) == 0x5A4D and filesize < 30KB and (any of them)
}

Protection

  • https://exchange.xforce.ibmcloud.com/signature/EPS_Office_Exec

Recommendations

  • Keep applications and operating systems running at the current released patch level
  • Ensure anti-virus software and associated files are up to date
  • Verify, through a separate channel, the legitimacy of any unsolicited email attachments – delete without opening if you can’t validate
  • Search for existing signs of the indicated IOCs in your environment
  • Block all URL and IP based IoCs at the firewall, IDS, web gateways, routers or other perimeter-based devices

Reference

  • https://www.alienvault.com/blogs/labs-research/off-the-shelf-rats-targeting-pakistan
  • https://exchange.xforce.ibmcloud.com/collection/Spear-Phishing-Campaign-Targets-Users-via-Pakistani-Themed-Documents-8f00c621e4e1a1c3444118eb74f362ee

Recommended For You

About the Author: CWZ

Founder of Cyberwarzone.com.