Bahamut Possibly Responsible for Multi-Stage Infection Chain Campaign
Authored by: Gage Mele, Tara Gould, Winston Marydasan, and Yury Polozov
Key Findings
- Anomali Threat Research discovered cyberthreat actors distributing malicious documents exploiting a vulnerability (CVE-2017-8570) during a multi-stage infection chain to install a Visual Basic (VB) executable on target machines.
- This exploitation creates a backdoor that appears to only retrieve an infected machine’s username, possibly indicating reconnaissance activity.
- We assess with low confidence, based on limited technical intelligence and targeting consistent with previously observed activity, that the advanced persistent threat (APT) cyberespionage group known as Bahamut may be responsible for this campaign.
- Bahamut is a “group for hire” and typically targets entities and individuals in the Middle East and South Asia with spearphishing messages and fake applications as the initial infection vector.
Overview
Based on a discovery in mid-February 2021, Anomali Threat Research assesses with low confidence that the APT cyberespionage group-for-hire Bahamut has been conducting malicious activity against multiple targets since at least June 4, 2020. While researching malicious files, our researchers analyzed a .docx file (List1.docx) that contained a shared bundled component with another .docx file that was communicating via template injection with lobertica.info, a domain previously attributed to Bahamut.[1] Further analysis of this file and the infection chain it follows is provided in subsequent sections below.
The header dates of a template injection domain (lobertica.info/fefus/template.dot) contacted by Screeshot from NACTA Website.docx (including “Screeshot” spelling error) indicated malicious activity dating back to at least June 4, 2020. The title of the document may be a reference to Pakistan’s National Counter Terrorism Authority (NACTA), which would be consistent with Bahamut’s previous targeting and geographical location. The June timeframe also aligns with Pakistan’s virtual meeting with the Financial Action Task Force (Groupe d’Action Financière) held on June 24, 2020, which resulted in keeping Pakistan on the financial grey list for terrorism funding.[2] Additionally, in June 2020, between the 9th and 15th, the United Arab Emirates (UAE) and Pakistan conducted repatriation flights for Pakistani nationals in the UAE. And, as of June 29, the UAE suspended passengers from Pakistan, until more COVID-19-related facilities could be created.[3] While the timing may be coincidental, sophisticated threat actors such as Bahamut are known to use real-world events as themes for targeted cyber campaigns. Historically, in December 2016, Bahamut reportedly targeted human rights activists in the Middle East with spearphishing attacks to deliver Android-based malware, this persisted through 2018, with the targeting of entities and individuals in Egypt, Iran, India, Pakistan, Palestine, Qatar, Tunisia, and the UAE.[4]
Details
Anomali Threat Research identified malicious .docx files that exploit a remote code execution (RCE) vulnerability (CVE-2017-8570). The activity apparently began in June 2020 and continued through at least mid-February 2021. The actors used at least three files with generic names: List1.docx, List for Approval.docx, and report.doc, and one appearing to employ a NACTA theme with a typo: Screeshot from NACTA Website.docx. (Figure 1)
Figure 1 – Infection Chain
Technical Analysis
Threat actors distributed .docx files with the objective of dropping a rich text format (RTF) file that began the infection process for additional malicious activity. Analysis of the .docx revealed a multi-step infection process.
The graphic below displays the connection between the malicious files and actor infrastructure (see Figure 2). The .xml file at the top is shown as the bundled component that is contained inside other .docx files. The .docx files used template injection to download a file from a malicious domain. Next, we observed an .rtf file being dropped that contained multiple files with the objective to drop VB executables. The final layer in the chart shows the IP addresses we observed communicating with the malicious files.
Figure 2 – Malicious Infrastructure
Figure 3 – Self Signed Certificate on 185.175.158.227
Figure 3 above shows a self-signed certificate on the IP 185.175.158.227, a method Bahamut has used in the previous activity.[5] Bahamut has also been reported to have a preference for utilizing the marketing email service MailKing.[6] The alignment of these data points, while not conclusive, further supports the assessment that this activity may be related to Bahamut.
DOCX Analysis
Analyzed file – List1.docx
MD5 – 3df18ecd55f8e267be39f6f757bcd5f0
The analyzed document is a .docx file with an embedded RTF object from memoadvicr.com/kodec/report.doc (see Figure 4). The external target is placed in the ‘webSettings.xml.rels’ file, which will download the RTF file. As shown in Figure 4 the dropped file is called report.doc, which will be analyzed in the subsequent section.
Figure 4 – Embedded RTF Object
RTF Analysis
Analyzed File – report.doc
MD5 – 9dc1cdba6d5838f7984de89521f18ae8
The analyzed document is an RTF file downloaded from a .docx file containing an obfuscated .sct file that exploits CVE-2017-8570 (RCE). Exploitation of the vulnerability allows execution of the .sct file that in-turn executes other files dumped from the RTF. Filenames contained in the RTF (shown in Figures 5-6) include: eisghfgh321.tmp, d.tmp, E.sct.
Figure 5 – OLE Package File Information for .tmp Files
Figure 6 – OLE Package File Information for. sct File
The obfuscated .sct file contents were mixed with unwanted comments and confusing variable names to inhibit static analysis. (Figure 7). But, once reconstructed with comprehendible variable names and stripped of random strings, we were able to construct a more comprehensible version of this .sct file (Figure 8).
Figure 7 – Obfuscated .sct File Contents
Figure 8 – Beautified. sct File Contents
With a better understanding of the .sct file, we determined that the script checks the existence of the dropped file within the %temp% folder of the victim machine. This is the file that dropped during the exploitation of the CVE-2017-8570.
Next, the function routine readBinary reads the data in eisghfgh321.tmp and the script replaces the first two bytes with MZ and substitutes the last two zero bytes until eisghfgh321.tmp is molded into dwmm.exe. The executable is then dropped in the %PUBLIC% folder on an infected machine.
The script again checks for the existence of this malicious executable in %PUBLIC% folder and, if it exists, the winword.exe process is killed to close the initially opened decoy document. Lastly, the executable – written in VB – functions as a backdoor on an infected machine. After decompiling the code, we found that the POST payload, dwmm.exe, is generated on-the-fly and dropped while communicating with the actor’s C2 via a POST request to the actor’s Command and Control (C2) server (see Figure 9).
Figure 9 – dxmm.exe POST Request
Analysis of the POST request shows that it will send back the username that was found located between “pt” and “tion,” as shown in Figure 10 below with brutal serving as the username.
Figure 10 – dxmm.exe POST Request Information
Conclusion
Bahamut is a sophisticated APT group that utilizes anti-analysis techniques and multi-stage infection chains. Additionally, like many other APT groups, they employ social engineering and user interaction for the initial infection through spearphishing emails and messages. While we have identified many consistencies between this most recently discovered campaign and previously reported activity attributed to Bahamut, and the targeting appears to be consistent with Bahamut’s assessed interests, due to the lack of enough unique indicators of compromise or tactics, techniques, and procedures (TTPs) we can only assess with “low confidence” that Bahamut may be behind this activity. We will continue monitoring this group for additional malicious activity and provide details when appropriate.
MITRE TTPs
Application Layer Protocol – T1071
Command and Scripting Interpreter: Visual Basic – T1059.005
Data Staged: Local Data Staging – T1074.001
Deobfuscate/Decode Files or Information – T1140
Masquerading – T1036
Obtain Capabilities: Vulnerabilities – T1588.006
Phishing – T1566
Phishing: Spearphishing Attachment – T1566.001
System Information Discovery – T1082
Template Injection – T1221
User Execution – T1204
User Execution: Malicious File – T1204.002
Endnotes
[1] BlackBerry Research and Intelligence Team, “Bahamut: Hack-for-Hire Masters of Phishing, Fake, News, and Fake Apps,” BlackBerry, accessed March 9, 2021, published October 2020, https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf, 81.
[2] “Pakistan’s case not taken up ate FATF meeting: FO,” Dawn, accessed March 9, 2021, published June 27, 2020, https://www.dawn.com/news/1565473; “Pakistan needs legislation to meet three outstanding FATF benchmarks: Report,” Hindustan Times, accessed March 9, 2021, published March 2, 2021, https://www.hindustantimes.com/world-news/pakistan-needs-legislation-to-meet-three-outstanding-fatf-benchmarks-report-101614669450193.html.
[3] “Coronavirus: more repatriation flights from UAE to Pakistan announces,” The National, accessed March 10, 2021, published June 9, 2020, https://www.thenationalnews.com/lifestyle/travel/coronavirus-more-repatriation-flights-from-uae-to-pakistan-announced-1.1030914; “UAE suspends receiving passengers from Pakistan as of June 29 over COVID fears,” Reuters, accessed March 10, 2021, published June 28, 2020, https://www.reuters.com/article/us-health-coronavirus-emirates-pakistan/uae-suspends-receiving-passengers-from-pakistan-as-of-june-29-over-covid-fears-idUSKBN23Z0RM.
[4] Collin Anderson, “Bahamut, Pursuing a Cyber Espionage Actor in the Middle East, Bellingcat, accessed March 9, 2021, published June 21, 2017, https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/; Warren Mercer, et al., “Advanced Mobile Malware Campaign in India uses Malicious MDM – Part 2,” Cisco Talos Blog, accessed March 10, 2021, published July 25, 2018, https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; https://www.thaicert.or.th/downloads/files/A_Threat_Actor_Encyclopedia.pdf, 35; BlackBerry Research and Intelligence Team, “Bahamut: Hack-for-Hire Masters of Phishing, Fake, News, and Fake Apps,” BlackBerry, 5; Taha Karim, “IN THE TRAILS OF WINDSHIFT APT,” DarkMatter, accessed March 10, 2021, published August 2018, https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf, 13.
[5] BlackBerry Research and Intelligence Team, “Bahamut: Hack-for-Hire Masters of Phishing, Fake, News, and Fake Apps,” BlackBerry, 49.
[6] Ibid.
IOCs
Domains and URLs
http://lobertica.info
http://lobertica.info/fefus/
http://lobertica.info/fefus/report.doc
http://lobertica.info/fefus/template.dot
http://lobertica.info/msoll/igtxpres.zip
http://zovwelle.com
http://zovwelle.com/opregftyro/ijkbfumnbvc.php
http://memoadvicr.com
http://memoadvicr.com/kodec/report.doc
http://memoadvicr.com/dvsec/report.doc
http://fastfiterzone.com/sdjfbjsgdlfvfd/gfdbvgfgggh.php
EXEs
04e05054e9e4f1c6cba9292fcad9e06f
61639f301c4cdadfd6c4a696375bdc99
Files
.docx
68d0e326e18bd7ec50db011f9c119e25
de1f5c8223505f7e8c64a4b852614b14
3df18ecd55f8e267be39f6f757bcd5f0
RTF
9dc1cdba6d5838f7984de89521f18ae8
Scriplet
d3e989f44fe3065ec501fe7f0fc33c3e
Bundled
11eb560d256383859b8135cfbbf98e30
IPs
185.183.161.125
185.175.158.227
208.91.197.54
194.120.24.116
93.184.220.29
194.67.93.17