A couple of days ago, we noticed that a few somewhat suspicious text messages, claiming to give the user "free internet" and other things, was being circulated. The download link in the SMS, along with others received, claiming "To find any Bangladeshi number location and number owner address information, please just visit the following link:" and "Free Antivirus Download", were sent to the Beetles Threat hunting team for analysis of a suspected malware attack.
Beetles’ Advanced Persistent Threat (APT) Hunting Team, quickly identified, from the links in the sms, that once a user visits the threat actor's domains and clicks on submit, the following took place:
- www.bd2bd.com and www.registerbd.com - Downloads a weaponised .doc file.
- www.pc-net.org - downloads a Compressed ZIP folder containing 3 weaponised .doc files.
- www.revetm.com - downloads a .exe file.
The purpose of the .doc files are to serve as a malware delivery mechanism to infect the user PC with a Remote Access Tool (RAT). To be specific, the threat actor is using the Luminosity malware family Link's RAT, which can be found online and costs as little as $39.99 for a lifetime license. The RAT is a trojan software that works in the background and allows a remote "operator" to control a system as if they have physical access to that system. Even though there are multiple desktop sharing and remote administration readily available in the market, a RAT is installed as a trojan and runs without the victim's knowledge. It has a malicious intent and is able to hide its processes from the victim as well as most antivirus softwares.
The Operation, labeled "Operation Brightroar", yielded that the threat actor was infecting unsuspecting users with his version of the Luminosity Remote Access Tool and is able to conduct detailed surveillance on the user's device, including logging all keystrokes, extracting passwords from major web browsers and email clients and search for and upload specific files from the user's device, among other things.
Recon of the Phishing sites
We received multiple campaign SMS of the following websites:
The first 4 websites were found to be hosted on the same web server. But the last website, which uses a clone portal for Reve antivirus as a decoy was hosted on a separate web server.
The document files, which were downloaded from those phishing websites were suited with the following exploits:
The downloaded document file had no content and the office suite crashes as soon as any user opens them. The crashing was an indication of successful exploitation.
The malware drops a file, putty.exe and executes it.
Later, it creates a windows startup item with the same binary in order to remain persistent. The item which was added to the windows startup was found to be named as mozillatm.exe. Other than this there is another backup startup option registered, named as mozillatms.exe.
Mozillatm.exe is a .net executable and the file is highly obfuscated.
We identified a cryptography library inside the malware. This library is used to encrypt/decrypt C&C communication. It was observed that the malware loads the cryptographic library into memory.
The malware is classified as an active persistent threat, even though it is not a proper FUD malware but it used an encryption method and went under the hood for many popular antivirus.
The malware creates a folder in the following location and stores victims key stroke logs, screenshots etc on different folder. We found evidence that these stolen screenshot and logs are transmitted to the c&c server time to time.
Command and Control(C2) Hunt
The malware connects to a command and control server via TCP protocol. The analysed sample connected to 188.8.131.52 on port 13106.
The malware transmits various information of the active window to the c2 server.
We got our hands on the malware configuration by analysing the behaviour and dissecting the malware with the help of readily available community tools.
The purpose of this specific attack is not clear yet. The mother RAT, Luminosity has a feature of cryptocurrency mining via slave machines. That might be a reason given the current hype on cryptocurrency markets, but there was no solid evidence for this claim. However, the attacker group are well oriented about Bangladeshi peoples psychology which can be understood by analyzing their scamming pattern and offers like "bio-metric registered sim information fetching" or "free internet campaign" etc.
We could not determine the number of total infected users, but given the spreading mechanism and scamming offers, it is obvious that there are already thousands of victim affected by this attack.
To summarize: The affected PCs are now being remotely access and controlled by the actor or actors behind this attack. The attacker has been collecting logs on Keystrokes, accessing files and uploading them and in some cases may also have remote access of webcams and microphones.
For future reference, do not click on unknown links and do not download junk files. If it sounds too good to be true, it probably is. Be smart! Be safe!
File name: PC-NET-Setting.doc
File name: PC-NET-Setting1.doc
File name: PC-NET-Setting2.doc
Our findings prove that there is a competent threat actor working behind this threat, now given that to collect such massive data takes an incredible amount of resources, time, manpower and motivation, we assess there could be a group actor involved.
During the course of our research, we did manage to identify a few individuals who we think are associated with this attack. We will not make their identities public here, but if any law enforcement agency asks us for it, we'd happily comply.
This is currently an ACTIVE THREAT FOR BANGLADESH!!