It is not uncommon for cybercriminals to target specific countries or regions. They often employ this strategy
In this blog, we describe in detail the email attack vector of this targeted campaign, the technical analysis of the discovered backdoors, and our conclusions on this attack.
Below is the email that was sent to the government officials in NABARD, which contained a malicious archive file attachment.
Figure 1: Email sent with malicious attachment to NABARD.
The email attachment filename is: KCC_Saturation_letter_to_all_StCBs_RRBs_pdf.zip
This archive contains an HTA file inside it that performs the malicious activities.
The MD5 hash of the HTA file is: 23b32dce9e3a7c1af4534fe9cf7f461e
The theme of the email is related to KCC Saturation, which relates to the Kisan Credit Card scheme and is detailed on the official website of NABARD.
Attackers leveraged this theme because it is relevant to the Department of Refinance, making this email look more legitimate.
We used the email headers to trace the origin to hosteam.pl, which is a hosting provider in Poland as shown below:
X-Auth-ID: [email protected]
Received: by smtp10.relay.iad3b.emailsrvr.com (Authenticated sender: syeds-AT-rockwellinternationalschool.com) with ESMTPSA id 0928BE00BD;
Mon, 20 Apr 2020 21:33:53 -0400 (EDT)
X-Sender-Id: [email protected]
Received: from WINDEB0UPGVCUK (unused-31-133-6-113.hosteam.pl [126.96.36.199])
(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384)
by 0.0.0.0:465 (trex/5.7.12);
Mon, 20 Apr 2020 21:34:40 -0400
The same HTML Application (HTA) file was also sent in an archive attachment to IDBI bank as shown in Figure 2.
Figure 2: The email sent with a malicious attachment to IDBI bank.
Based on the email headers and the infrastructure used to send the previous emails, we were able to identify more instances of these attacks and were able to attribute them to the same threat actor.
Figure 3 shows an email sent to RBI with an archive file that contains a Java-based backdoor.
Figure 3: The email sent with a malicious attachment to RBI.
Figure 4 shows an email that was used to send an archive file with a Java-based backdoor to Agriculture Insurance Company of India (AIC).
Figure 4: The email sent with a malicious attachment to AIC India.
The contents of the email are in the Hindi language.
In both of the cases above, the Java-based backdoor has the same hash and only the filenames used were different.
The hash of the JAR file is: 0ac306c29fde5e710ae5d022d78769f6
The MD5 hash of the HTA file is: 23b32dce9e3a7c1af4534fe9cf7f461e
Upon execution, the HTA file displays junk data in a window that flashes quickly on the screen before auto-closing.
Figure 5: The HTA header in the file.
Figure 6: A long array of encoded strings.
The string decoding and decryption routines are shown in Figure 8.
Figure 8: The string decoding and decryption routines.
After analyzing the string decryption routine, we can see that RC4 algorithm was used.
The process of string decryption can be summarized in the following steps:
Figure 9: The main configuration file of the JsOutProx backdoor.
Some of the critical parameters in the above config file are:
The script checks whether it is being executed by mshta, wscript or by an ASP Server as shown in Figure 10.
Figure 10: Checks for source of execution.
The script also has the ability to delay execution as shown in Figure 11.
Figure 11: Delaying execution.
The init() routine is the initialization routine, which gathers different types of information from the system and sends it in an HTTP POST request to the C2 server as shown in Figure 12.
Figure 12: The main initialization routine.
The individual fields collected during init() routine are:
Volume serial number: Fetches the volume serial number using WMI query: “select * from win32_logicaldisk” by inspecting the volumeSerialNumber field.
UUID: This is randomly generated using the getUUID function in the script. The format of the UUID used is: xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx
ComputerName: Host name of the machine.
UserName: User name of the machine on which this script is executing.
OS caption: This value is fetched using the WMI query: “select * from win32_operatingsystem” by inspecting the Caption field.
OS version: This information is also gathered using WMI query similar to OS caption.
Tag: This is the tag defined in the configuration of the backdoor. In our case, the tag is Vaster.
The last keyword is “ping,” which is added by the receive() method.
All these values are separated by the delimiter “_|_” and concatenated, then hex encoded and set in the Cookie header called “_giks” of the HTTP POST request sent to the C2 server as shown in Figure 13.
Figure 13: First HTTP POST request sent to the C2 server.
The command and control communication between the backdoor and the C2 server is synchronized using the Cookie in the HTTP request and responses.
The last field in the cookie indicates the type of client command.
For example, if the cookie is:
Then the client command can be identified as:
Figure 14 shows the main subroutine in the code that handles all the commands.
Figure 14: The C2 command handler subroutine in JsOutProx.
The description of the commands are included in the table below.
Download and execute the script.
Re-launch the script.
Similar to rst command.
Exit the execution.
Reboot the system.
Shutdown the system.
Shutdown the system.
Use ActiveXObject to execute the VBScript sent by server.
Uninstall the backdoor.
Install the backdoor.
Invokes the File Plugin.
Invokes the Download Plugin.
Invokes the ScreenPShellPlugin.
Invokes the ShellPlugin.
The MD5 hash of the JAR file is: 0ac306c29fde5e710ae5d022d78769f6
The JAR file is heavily obfuscated in this case. The structure of the JAR file is shown in Figure 15.
Figure 15: The JAR file structure.
There is an AES-encrypted resource present in this JAR file with the name: “jkgdlfhggf.bvl”.
This resource will be loaded and decrypted at runtime as shown in Figure 16.
Figure 16: The Stage 1 resource decryption routine.
This resource gets decrypted to another JAR file, which will be dropped in the %appdata% directory on the machine with the name jhkgdldsgf.jar
The dropped JAR file contains all the functionality for this Java-based backdoor. Figure 17 shows the main structure of the JAR file.
Figure 17: The JAR file structure of the Java-based backdoor.
All the strings in this JAR file are obfuscated by an obfuscator called Allatori. The string decryption routine is as shown in Figure 18.
Figure 18: The string decryption routine.
We described this string decryption routine in more details in an earlier blog, which also includes the Python implementation of the decryption routine.
The JAR file connects to the C&C server: scndppe.ddns.net at port 9050.
This Java-based backdoor is modular in structure and contains several plugins. Figure 19 shows the main network controller code that handles the C&C communication and dispatches the commands to corresponding plugins for further processing.
Figure 19: The network controller command handler.
The controller receives the command along with an array of strings that represent the parameters for the corresponding command.
Each of the C&C commands are used to invoke a plugin that executes the command sent by the server.
Base plugin to exit execution.
Base plugin to restart execution.
Now, we will describe two main plugins in this Java-based backdoor and the commands processed by them.
Filemanager plugin: This plugin is responsible for managing all the file system related actions which can be performed by the attacker remotely. The plugin supports multiple commands and the summary is in the table below.
Get list of system drives (including CD drive.)
Get list of files and folders in a directory.
Create a new directory.
Execute a command using Runtime.getRuntime().exec()
Start a new system shell based on the type of OS.
Copy contents of one file to another.
Change the permissions of a file using chmod command (only for Linux and Mac).
Move a file from one location to another.
Delete a file.
Rename a file.
Similar to chm command.
Download a file from the system. Contents of the file are Gzip compressed and Base64 encoded before downloading.
Upload a file to the system. Contents of the file Gzip decompressed and Base64 decoded before dropping on the file system.
Screen Plugin: This plugin uses the java.Awt.Robot class to perform all the mouse and keyboard simulations on the machine as well as to take screen captures. The commands for this plugin are detailed in the table below.
Fetch the screen size width and height information.
Simulate mouse actions like double click, scroll up and scroll down.
Move the mouse cursor to specified co-ordinates.
Take a screen capture.
Send keystrokes to the machine.
Persistence: To ensure that this JAR file is executed automatically when the system reboots, a Window run registry key is created as shown below:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v jhkgdldsgf /d '\'C:\Program Files\Java\jre1.8.0_131\bin\javaw.exe\' -jar \'C:\Users\user\AppData\Roaming\jhkgdldsgf.jar\'' /f
Figure 20 shows the Zscaler Cloud Sandbox successfully detecting the Java-based backdoor.
Figure 20: The Zscaler Cloud Sandbox detection for this Java-based backdoor.
Figure 21 shows the Zscaler Cloud Sandbox successfully detecting the HTA-based backdoor which contains the JsOutProx RAT.
Figure 21: The Zscaler Cloud Sandbox detection for the HTA-based backdoor.
This threat actor has a specific interest in organisations located in India and the content of the emails indicates a good knowledge of topics relevant to each of the targeted organisations. The backdoors used in this attack are uncommon, such as JsOutProx, which has only been observed in the wild once before in December 2019.
The Zscaler ThreatLabZ team will continue to monitor this campaign, as well as others, to help keep our customers safe.
Registry run keys / Startup folder - T1060
File and Directory Discovery
Uncommonly Used Port
Windows Management Instrumentation
23b32dce9e3a7c1af4534fe9cf7f461e – HTA file (JSOutProx)
0ac306c29fde5e710ae5d022d78769f6 – Java-based Backdoor