India – Pakistan tensions are flaring up as hashtags like #PakistanStrikesBack makes headlines across the world as Pakistan’s airforce humiliated India by shooting down two of India’s fighter jets over Pakistani airspace. This week we identified two new spear campaigns appearing to target India’s military. A new compiled malicious document with a macro was sent this week:
Malicious Document: "Destruction of Jaish Camp and Dead Bodies of Terrorists.doc" SHA1:cd3bb41346fdc37053dc6b5a83f2c77fe4e2c3bf MD5:41b70737fa8dda75d5e95c82699c2e9b
The title refers to the Indian Air Strikes targetting the Kashmiri separatist group “Jaish-e-Mohammed” three days ago on February 25th, 2019.
Once the victim opens the malicious word document and enables the macro the following occurs:
Malicious doc drops the following files:
C:\Users\All Users\Hurmz\rgiwsdasxa.exe SHA1:6aedaf0ad86c7e45f19ff7a1ad1876bd18ff8b90 MD5:2eb4469c76f5230c66626a6918c7664f C:\Users\All Users\Hurmz\rgiwsdasxa.zip SHA1:0080c82c91c89375208cd8e7b48d3851a01dfdc7 MD5:e0e9c625adab63c255a0e16fe8683189 C:\ProgramData\Hurmz\rgiwsdasxa.exe SHA1:6aedaf0ad86c7e45f19ff7a1ad1876bd18ff8b90 MD5:2eb4469c76f5230c66626a6918c7664f C:\ProgramData\Hurmz\rgiwsdasxa.zip SHA1:0080c82c91c89375208cd8e7b48d3851a01dfdc7 MD5:e0e9c625adab63c255a0e16fe8683189
The file “rgiwsdasxa.exe” connects to its C2 and sends the C2 basic information about the victim to include computer name , username, running process
C2: 216.176.190.98
Port: 3386
C2 DATA: …..info=command…..rgiwsdasxa-info=user=….|user3083-workstation|user3083||6>1|S.P.1.0|| ||C:\ProgramData\Hurmz\…..getavs=avpro…..rgiwsdasxa-getavs=processs….3024>SearchIndexer>0><3360>conhost>0><352>svchost>0><1116>spoolsv>0><2408>conhost>0><524>winlogon>0><1412>taskhost>0><156>mscorsvw>0><428>csrss>0><2028>rgiwsdasxa>0><336>TPAutoConnSvc>0><2012>svchost>0><512>lsm>0><956>svchost>0><2304>wmpnetwk>0><2644>msdtc>0><3176>svchost>0><504>lsass>0><412>wininit>0><1300>armsvc>0><4016>rgiwsdasxa>0><760>svchost>0><2024>SearchProtocolHost>0><3512>conhost>0><3660>mscorsvw>0><1540>WmiPrvSE>0><1548>VGAuthService>0><924>svchost>0><1012>audiodg>0><4084>svchost>0><652>svchost>0><716>vmacthlp>0><472>services>0><1628>explorer>0><1004>svchost>0><3352>TPAutoConnect>0><4000>cmd>0><3124>SearchFilterHost>0><1656>vmtoolsd>0><360>csrss>0><1348>svchost>0><812>svchost>0><276>smss>0><1876>OSPPSVC>0><1608>dwm>0><1872>taskhost>0><4>System>0><1160>svchost>0><0>Idle>0>
The IP range of 216.176.176.0/20 belongs to a Seatle Company named Wowrack.com, but they subleased the IP range on where the C2 resides (216.176.190.98).
The IP range of 216.176.190.96/27 is based out of China: NetRange: 216.176.190.96 - 216.176.190.127 CIDR: 216.176.190.96/27 NetName: 216-176-190-96-27-ZHAOWEIWANG NetHandle: NET-216-176-190-96-1 Parent: WOW-IPV4-NET1 (NET-216-176-176-0-1) Customer: ZHAO WEI WANG (C03101887) RegDate: 2012-07-14 Updated: 2012-07-14 Ref: https://rdap.arin.net/registry/ip/216.176.190.96 CustName: ZHAO WEI WANG Address: gan jing zi 5-1-1 City: da lian StateProv: PostalCode: 116000 Country: CN RegDate: 2012-07-14 Updated: 2014-03-27
IOCs
Malicious Document: "Destruction of Jaish Camp and Dead Bodies of Terrorists.doc" SHA1:cd3bb41346fdc37053dc6b5a83f2c77fe4e2c3bf MD5:41b70737fa8dda75d5e95c82699c2e9b
Filename: rgiwsdasxa.exe SHA1:6aedaf0ad86c7e45f19ff7a1ad1876bd18ff8b90 MD5:2eb4469c76f5230c66626a6918c7664f
Filename: rgiwsdasxa.zip SHA1:0080c82c91c89375208cd8e7b48d3851a01dfdc7 MD5:e0e9c625adab63c255a0e16fe8683189
C2: 216.176.190.98 Port: 3386
Something went wrong with the twitter.