Researchers at cybersecurity providers Symantec and Bitdefender recently documented what appears to be a sustained cyberespionage campaign, ongoing since at least October 2016 that targets individuals involved in regional security issues in Pakistan and India. Symantec says that governments and militaries with operations in S. Asia and interests in regional security issues would likely be at risk from the malware.
Ehdoor/EHDevel is info-gathering malware that is capable of logging keystrokes, identify victim’s location, stealing personal data, collecting files with certain extensions (office docs, photos, zip), takes screenshots, uploads them to server, system fingerprinting (network topology, processes, files), stealing passwords and browser history.
The initial method of infection seems to be an emailed malicious document, often called News.doc, which is in fact a RTF. A decoy document is included that displays a legitimate news story related to security issues in South Asia to the victim while setting up a backdoor. The malware allows for uploading and downloading of files, carrying out processes, keystroke logging, ID target location, steal personal data, screenshots. Also sued to target Android devices.
Versions found show that this malware seems to be under active development. There are multiple transitions form one programming language to another. The framework is written in C, but previous versions and modules are built in other languages, including scripting languages.
The malware is highly customizable and uses a modular framework with separate modules for keylogging, system fingerprinting, screengrabbers, data uploaders, etc.
Background: There have been mounting tensions in this region for some time. India and China’s tensions escalated recently over disputed territory near Bhutan. India and Pakistan have longstanding disputes over territory in Kashmir. In the past, heightened political tensions often correspond to an increase in cyberespionage activity.
The attackers using Ehdoor are probably nation-state hackers. According to Symantec, “the campaign appeared to be the work of several groups, but tactics and techniques used suggest that the groups were operating with “similar goals or under the same sponsor”, probably a nation state.” Bitdefender suggests that they may be connected to 2013 Operation Hangover APT, known for using Python-based malware and making amateur mistakes indicating a lack of experience or care.
Bitdefender analyzed the C framework compilation times for this malware which fell within window of a typical 9-5 work schedule, Mon-Saturday, in one time zone, UTC+5. Countries within this time zone are: Kazakstan, Maldives, Pakistan, Russia, Tajikistan, Turkmenistan, and Uzbekistan.
The chosen targets and the information-gathering goal would already suggest that the attackers may be working for a nation-state. The evolving code written in multiple languages suggests a group or groups working in cooperation rather than an individual. The compile times timeframe suggests a professional working situation rather than an individual working freelance on a side project. The compile times also suggest a nation-state level actor or nation-state sponsored group in UTC+5 timezone.
This week, Fortinet documented another instance of cyberspying using very similar techniques: an emailed RTF files that appeared to be news stories related to the Vietnamese government. Fortinet tentatively tied that instance to a Chinese hacking group.
Are these info-gathering campaigns in India, Pakistan, and China related? The similar technique of using malicious documents disguised as news articles to infect systems warrants a closer look to see if surface similarities indicate a true link between these campaigns.