In April 2023, SentinelLabs reported to be tracking a cluster of malicious documents that were focused on attacking the Indian Education Sector. The malicious documents are intended for staging CrimsonRAT, a Remote Access Trojan (RAT) that has been distributed since at least 2016 by the Pakistani-based adversary APT36, also known as Transparent Tribe. Previous activities of this politically motivated adversary, that has been active since 2013, have been previously emulated by AttackIQ in late 2022.
Researchers have determined that this incident is connected to the group’s previously documented actions aimed at the education sector in the Indian subcontinent. It is assessed that the objective of the adversary is to keep track of the research endeavors of opposing nations, highlighting the significant role this activity plays in fulfilling the goals and interests of the authorities that APT36 represents.
AttackIQ has released a new attack graph that aims to emulate recent activities led by the politically motivated Pakistan-based adversary APT36 against objectives localized in the Education sector within the Indian subcontinent.
Validating your security program performance against these behaviors is vital to reducing risk. By using this new attack graph in the AttackIQ Security Optimization Platform, security teams will be able to:
- Evaluate the performance of security controls against a highly sophisticated, long-standing adversary.
- Assess their security posture against the Tactics, Techniques and Procedures (TTPs) that APT36 has successfully employed in multiple incidents.
- Continuously validate detection and prevention channels against a highly determined and politically motivated threat.
APT36 – 2022-08 – Attack Targeting the Indian Education Sector with CrimsonRAT
(Click for Larger)This attack graph emulates the activity led by APT36 in which the adversary delivered malicious Microsoft Office documents which were intended for staging CrimsonRAT, a Remote Access Trojan (RAT) which has been actively distributed since at least 2016. The final goal of this activity is to exfiltrate sensitive information collected from the compromised environment.
(Click for Larger)This attack graph starts with the download and saving of the malicious document used by APT36, which is designed to drop a sample of a Remote Access Trojan (RAT) known as CrimsonRAT. Then the registry Run hive is queried to check if the system has already been compromised and, if not, persistence is achieved by creating a new entry in it.
Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious content.
Command and Scripting Interpreter (T1059): CrimsonRAT uses “set” command to get a listing of the current environment variables.
Query Registry (T1012): The HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key is queried to check if the Kosovo value exists.
Logon Autostart Execution: Registry Run Keys (T1547.001): This scenario sets the HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key that Windows uses to identify what applications should be run at system startup.
(Click for Larger)After successfully acquiring persistence on the system, APT36 investigates the compromised environment looking for indicators of a virtual machine or sandbox, with the objective of evading dynamic analysis systems.
Windows Management Instrumentation (T1047): This scenario uses wmic commands to collect hardware information, such as CPU and Motherboard properties.
(Click for Larger)The third stage of the attack is focused on local environment discovery with the adversary seeking to gather relevant system information. During this stage, the adversary seeks to obtain information such as the current network configuration, interesting files and directories, peripheral devices, and installed security software.
System Information Discovery (T1082): The native systeminfo command is executed to retrieve all of the Windows system information.
System Owner / User Discovery (T1033): Live off the land by running whoami and users to gain details about the currently available accounts and permission groups.
System Network Configuration Discovery (T1016): The network configuration of the asset is collected using standard Windows utilities like ipconfig, arp, route, and nltest.
File and Directory Discovery (T1083): This scenario uses the native dir command to find files of interest and output to a temporary file.
Process Discovery (T1057): Window’s built-in tasklist command is executed as a command process and the results are saved to a file in a temporary location.
Peripheral Device Discovery (T1120): This scenario retrieves information about systems peripherals such as logical drives, physical memory, network cards through the execution of commands and binaries.
Security Software Discovery (T1518.001): A PowerShell script is executed to determine which software has been installed as an AntiVirusProduct class.
(Click for Larger)In the last stage of the attack, the adversary will seek to collect sensitive system information, such as files located on removable media, browser passwords, screenshots and keystrokes. Lastly, the collected information will be exfiltrated via an HTTP POST request.
Data from Removable Media (T1025): The native utility fsutil is used to identify any additional hard disks connected to the host. PowerShell is then used to iterate through every removable media device and harvest a list of files.
OS Credential Dumping (T1003): This scenario uses the open-source tool LaZagne to dump all possible credentials available on the host.
Email Collection (T1114.001): This scenario will look for .pst and .ost files (email files used by Outlook) under the user profile directories recursively.
Screen Capture (T1113): This scenario executes a PowerShell script that utilizes the Graphics.CopyFromScreen Method from the System.Drawing namespace to collect screenshots from the compromised system.
Input Capture: Keylogging (T1056.001): A keylogger is executed that hooks API callbacks to collect keystrokes typed by a logged in user.
Exfiltration Over C2 Channel (T1041): Files are sent to an AttackIQ controlled server using HTTP POST requests.
Detection and Mitigation Opportunities
With so many different techniques being used by threat actors, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.
1. Logon Autostart Execution: Registry Run Keys (001)
Preventing an actor from maintaining a foothold in your environment should always be one of the top priorities. In this campaign, Registry Run keys were used to check if the system has already been compromised and, if not, creating a new entry in it to achieve persistence.
1a. Detection
Using a SIEM or EDR Platform to see modifications to the Run and RunOnce keys will alert when unauthorized users or software makes modifications to the keys that allow programs to run after startup.
Process Name == reg.exe
Command Line Contains (“ADD” AND “\CurrentVersion\Run”
1b. Mitigation
MITRE ATT&CK does not have any direction mitigations as this is abusing legitimate Windows functionality. They recommend monitoring registry changes and process execution that may attempt to add these keys.
2. Exfiltration Over C2 Channel (T1041)
This attack results in the immediate exfiltration of sensitive data from the infected host. IDS/IPS and DLP solutions are well suited for detecting and preventing sensitive files from being sent to a suspicious external host.
2a. Detection
The data is being exfiltrated without any throttling or additional encoding or encryption from the backdoor. All data is being sent via HTTP POSTs in plain text and therefore should be easier to detect using Data Loss Prevention controls.
Additionally, since these requests are not throttled, network traffic can be monitored for anomalous traffic flow patterns that can identify single systems, typically client assets that are sending out significant amounts of data.
2b. Mitigation
MITRE ATT&CK has the following mitigation recommendations:
Wrap-up
In summary, this attack graph will help organizations evaluate security and incident response processes and support the improvement of your security control posture against a highly prolific and sophisticated cybercriminal. With data generated from continuous testing and use of these attack graphs, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.
AttackIQ stands at the ready to help security teams implement this attack graph and other aspects of the AttackIQ Security Optimization Platform, including through our fully managed service, AttackIQ Ready!, and our co-managed security service, AttackIQ Enterprise.
