Trellix detects malicious spear phishing email campaign targeting government agencies

A malicious campaign has been targeting government agencies across the U.S., India, Afghanistan, Italy, and Poland since last year, the Trellix Email Security Research Team discovered. The attack starts with a spear phishing email with a geopolitical theme and is themed around the India-Afghanistan relationship. 

“Attacker used politics as a lure to trick users into clicking on a malicious link. The email used for this phishing attack contains an attachment or a weaponized URL that delivers an Excel sheet,” Sushant Kumar Arya and Mohsin Dalla, Trellix researchers, wrote in a company post on Wednesday. “Upon opening the Excel sheet, Excel executes an embedded malicious macro which then decrypts and installs a Remote Access Trojan (AysncRAT & LimeRAT) and maintains persistence. Once the Remote Access Trojan is installed on the victim machine, it establishes communication with a Command-and-Control server used to exfiltrate victim data.” 

The Remote Access Trojan can take screenshots, capture keystrokes, record credentials/confidential information, and add infected systems to botnets, Trellix said. “It can also perform network discovery and move laterally to other systems in the affected organization. The email used in this attack originated from the South Asia region which suggests the involvement of a South Asian threat actor. Trellix Email Security has detection coverage for this malicious campaign,” it added.

The attacker sent emails for a short interval and then went back into hiding, Trellix said. “This was followed by subsequent similar waves. The first wave of attack was noticed during March-April 2021, followed by another in July 2021, then again in December 2021, and most recently during end of March 2022,” it added.

The attackers also used the free mail service Gmail to send spear phishing emails. Based on email header analysis, it was evident that the emails originated from Google servers and were sent from the South Asia region. In addition, the time zone of the email sender (+0500 UTC) further suggests the involvement of South Asian threat actors.

“The spear phishing email was themed around geopolitical news related to India like ‘Indian Nationals ( who were hidden in Kabul ) Killing in Kabul Tonight’ and ‘Indian workers missing from the dam project,” the researchers said. “More recently, the email used a COVID theme with the subject – ‘31 Covid Deaths In 24 Hours: Information campaign by NDTV’. The email had a Google drive link serving a malicious ZIP file. In some cases, the malicious ZIP was sent as an email attachment. The ZIP contains an Office document which is used to drop a RAT (Remote Access Trojan),” they added.

Trellix said that the document file (DOC/XLS) acts as a dropper, which drops and executes a file named ‘msword.exe.’ The Excel sheet contains a VBA macro enabled when the document file is opened. “The malicious executable code is stored in the document file itself (within a form text field) in the base64 encoded format. The VBA macro reads the base64 content, decodes it, and then decrypts the decoded content with a hardcoded XOR key. Multiple levels of base64 decoding and XOR decryption are used to obfuscate the malicious executable file,” it added.

‘msword.exe’ is an SFX archive executable containing multiple malicious executable files, Trellix said. Upon execution, ‘msword.exe’ drops the RAT files, and these RAT executables are obfuscated using ‘Crypto Obfuscator For .Net.’

Trellix said that ‘msword.exe’ then starts the process ‘igfx.exe” which checks the .NET version in the registry; based on the installed version, renames the compatible RAT file to ‘excel.exe,’ and checks the registry keys to determine the .NET version in the order listed below. If found, a version of the runtime file (AsyncRAT) is picked corresponding to the .NET version. The file ‘3_5’ (LimeRAT) is used if none of the registry keys are found.

Earlier this week, AttackIQ released two new attack graphs that emulate different aspects of OilRig’s campaigns carried out by the adversary. The graphs would help customers validate their security controls and defenses to help improve cybersecurity readiness. Based on the research, OilRig has targeted various sectors, including government, financial services, energy, resources and utilities, manufacturing, telecommunications, and technology.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.