On July 6, 2017, RSA FirstWatch noted renewed MONSOON APT campaign activity submitted (from a community user in India) to Virus Total. The submission in this case was an email attachment, Free_Hosting.doc, a Rich Text Format (RTF) document that attempts to exploit CVE-2015-1641. (Note: For a technical walk-through of RTF and its commonly exploited vulnerabilities, we recommend readers take a look at this post by RSA Engineering's Kevin Douglas.)
The RTF file drops BADNEWS, a backdoor facilitated by a signed Java executable that uses a DLL side-loading technique to evade security detection/prevention. (A similar technique is employed by PlugX, a backdoor that is well documented by past RSA Research efforts.) To accomplish this, the RTF writes out several executables, which create MicroScMgmt.exe and jli.dll in C:\Users\analyst\AppData\Roaming\Microsoft and modifies the current users RUN key to add persistence.
The executable also reaches out to 'GET /images/' from www.samanthvisser[.]com, hosted at 162[.]255[.]116[.]10 to retrieve a decoy Free_Hosting.doc to distract users.
Meanwhile, MicroScMgmt.exe (md5: BA79F3D12D455284011F114E3452A163) is actually a signed copy of Java Platform SE 6 U39 that side loads (essentially calling an execution path for) jli.dll from C:\Users\analyst\AppData\Roaming\Microsoft in the place of Microsoft's msvcr71.dll from the Windows\System32 folder. Backdoor established.
Based on these observations, this activity from early July appears consistent with recent Monsoon campaigns as documented by both Fortinet (part1 and part2) and Forcepoint. Nice screen shot courtesy of Vitali Kremez, @VK_Intel, who captured our executable in action.
Upon infection, initial Command and Control (C2) was observed via an unsolicited 'HTTP POST /6031170831643635.xml' out to feed43[.]com, a domain previously tied to Monsoon (part1 of the Fortinet reports 'hxxp://feed43.com/0414303388550176.xml') and believed to host encrypted data that contains the actual C2 server.
We also observed suspected outbound C2 via 'HTTP POST /1bc29b36f623ba82aaf672/435dfa34fasdf3.php' out direct to IP address 91[.]92[.]136[.]20, likely also passing encrypted (or obfuscated) content. Also noted outbound communications to en[.]wikipedia[.]org, but the purpose of this connection remains unclear (although possibly relates to past actor usage of forums).
With regard to NetWitness detection of Monsoon APT's delivery of BADNEWS, note the behavioral indicators captured in the meta below.
NetWitness Endpoint (i.e., ECAT) was also able to identify this activity rather easily by monitoring Office applications, WINWORD in the case of BADNEWS, for writing any executables. Indicators of compromise (IOCs) from ECAT are below.
Additionally, all observed MONSOON BADNEWS domains and IPs have been added to the FirstWatch C2 Domains and IPs feeds and should be available via RSA Live.
Thanks to Christopher Ahearn and Ahmed Sonbol for their help with this analysis.
