At CYFIRMA, our mission is to empower you with the latest insights into the dynamic landscape of cybersecurity threats, addressing risks that impact both organizations and individuals. This report details a sophisticated cyber threat involving a malicious Word file with an embedded macro that, upon opening, prompts victims to enable macros. Once activated, the macro initiates a series of actions, including the creation and deployment of VB scripts, BAT scripts, and the extraction of conhost.zip onto the victim’s machine. This process culminates in the installation of final payload Nim backdoor. The primary objective of this backdoor is to establish a connection with the adversaries’ command and control (C2) server, facilitating unauthorized access. The malicious document, along with the Nim backdoor as its final payload, is attributed to the Sidewinder group (also known as Rattlesnake, BabyElephant, APT Q4, APT Q39, Hardcore Nationalist, HN2, RAZOR Tiger, and GroupA21). Based on available information, the Sidewinder group is believed to originate from South Asia. The group activities can be traced back to 2012. The group typically focuses its attacks on governmental and military entities in various South Asian nations.
This report delves into a recent campaign involving a malicious Word document equipped with an embedded macro, unravelling a sophisticated cyber threat orchestrated by the Sidewinder group possibly to target Nepalese government officials. The threat begins with a potentially spear-phished email delivering a malicious Word document. After download and upon opening the document, the embedded macro executes, manipulating victims into enabling macros. This triggers a complex sequence of events, involving the creation and execution of various scripts and the establishment of persistence mechanisms. The analysis uncovers a multi-stage attack designed to hide activities, establish persistence, and execute malicious payloads.
Through the careful analysis of the embedded macro, this report exposes the intricacies of the attack chain, shedding light on the creation and deployment of VB scripts, BAT scripts, and the extraction of a concealed payload, conhost.exe, exhibiting similarities with the Nim backdoor. Conhost.exe, the primary payload, serves as a gateway for unauthorized access, connecting to the adversary’s Command and Control (C2) server. As part of the Sidewinder group’s broader strategy, the campaign involves the deployment of a reverse shell, adding a layer of complexity to their malicious operations.
Throughout this report, we provide an in-depth exploration of the attack’s technical aspects, shedding light on the functionalities of each component of the malware. Our objective is to equip cybersecurity professionals, organizations, and individuals with a comprehensive understanding of the threat landscape, enabling them to enhance their defenses and proactively mitigate the risks posed by sophisticated threat actors like the Sidewinder group.
The threat landscape presented by the sophisticated Sidewinder APT group highlights a highly skilled and persistent adversary that, in this instance, has orchestrated a targeted campaign against the Nepalese Government. While their focus extends beyond Nepal, encompassing various South Asian government entities, the recent attack showcased a particularly intricate strategy. Researchers have recently identified similar attacks targeting Bhutan.
The group’s modus operandi involves the deployment of decoy malicious documents, adeptly camouflaged as communications from the Nepalese Prime Minister’s Office. This deceptive tactic underscores the advanced nature of the threat, employing a spectrum of techniques, including email spear-phishing and the exploitation of malicious macros within documents. The urgency of this situation necessitates swift attention and coordinated action from relevant stakeholders.
As per the OSINT investigation, all the URLs hardcoded in main payload conhost.exe (Nim Backdoor) resolved to IP address “213[.]109[.]192[.]93”.
IP hosting a C2 server in Italy on BlueVPS having ASN no. AS62005.
The server is Apache and Metasploit running on port 3790 for remote connection open.
Believed to originate from South Asia, the suspected Sidewinder APT group has a historical footprint targeting diverse sectors such as Government, Military, Education, Healthcare, ISP, and Telecommunication across Asia. Known by various aliases like Rattlesnake, Hardcore Nationalist, HN2, APT Q4, RAZOR Tiger, APT Q39, BabyElephant, and GroupA21, their persistent and evolving tactics pose a substantial risk to regional cybersecurity. The comprehensive analysis provided in this report aims to enhance awareness and preparedness against the multifaceted and dynamic nature of cyber threats orchestrated by the Sidewinder APT group.
Basic Details:
MD5: E5859B366B93B05414E1E95D65CE7414
SHA256: 7459a6106d3562d72c7a4fee62d106064a3ed5b48e16474da2b448aeacc2a333
File Type: Office Open XML Document (Microsoft Word Document)
The potentially spear-phished email delivers a malicious document. Upon opening this document, the embedded malicious macro is triggered and executed. The manipulation of the victim occurs as the document prompts them to enable editing as shown below:
The deceptive content found in the sample appears to be associated with the Nepalese government, potentially indicating a focus on Nepalese government officials as the target.
Upon investigation, it was determined that the document contains an embedded macro. Subsequently, the macro was extracted for further analysis. The macro appears to be a part of a multi-stage attack, designed to establish persistence, hide its activities, and execute malicious payloads.
The Document_Open subroutine is executed when the document is opened. When the victiim opens the document, it automatically calls four functions (sch_task, hide_cons, read_shell, vb_chain) responsible for different aspects of the malicious behavior.
sch_task function performs several actions; it sets up environment variables and paths, creates a VBScript file (OCu3HBg7gyI9aUaB.vbs) in the Startup folder (C:\Users\UserName\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup) for persistence.
Firstly, the function leverages the GetObject method to create a WScript.Shell object, a common technique in malware for executing commands. It dynamically retrieves system environment variables such as AppData, LocalAppData, and Temp to construct file paths. Subsequently, a VBScript file (OCu3HBg7gyI9aUaB.vbs) is generated within the user’s startup directory, fostering persistence and ensuring execution upon subsequent system reboots. The script introduces deliberate delays, exemplified by WScript.Sleep 300000, a tactic employed to evade immediate detection and analysis.
Following is the code snippet for “OCu3HBg7gyI9aUaB.vbs” file, which was created by “sch_task” function:
The script introduces sleep delays, likely to avoid immediate detection. It checks internet connectivity by pinging Google. Depending on the result, it either sets an object to Nothing and runs the batch file (81Ghf8kIPIuu3cM.bat) or directly runs the batch file after another sleep delay.
The subsequent execution of an encoded batch file (8lGghf8kIPIuu3cM.bat) further exemplifies the obfuscation techniques employed to conceal the true intent of the script. Following is the code snippet for “8lGghf8kIPIuu3cM.bat” file.
The batch script (8lGghf8kIPIuu3cM.bat) performs several actions, including extracting and executing VBScript files, creating scheduled tasks, and self-deleting files. The batch script is orchestrating the execution of VBScript files (unzFile.vbs, skriven.vbs) and other batch files (2L7uuZQboJBhTERK.bat, 2BYretPBD4iSQKYS.bat, d.bat, e.bat). It sets up a scheduled task (ConsoleHostManager) that runs conhost.exe every minute. After completing its tasks, it attempts to clean up by deleting the created files.
Read_shell function reads bytes from a UserForm text box, splits them, and writes them to a binary file (conhost.zip) in the user’s local application data folder (C:\Users\UserName\AppData\Local\Microsoft).
It is designed to take binary data from a user interface component (UserForm1) and write it to a binary file named “conhost.zip” in the Microsoft folder within the local application data directory.
hide_cons function creates a VBScript file (skriven.vbs) in the local application data folder (C:\Users\dilpreet\AppData\Local). The hide_cons function appears to be creating a VBScript file (skriven.vbs), that, when executed, hides the console window (cmd.exe).
Following is the code snippet for “skriven.vbs” file:
The code is configured to hide the window of the executed program, and the script does not wait for the command to complete before continuing. The purpose of this mechanism may be to run a command discreetly without displaying the command prompt or any associated window. The specific command that gets executed is determined by the value passed as a command-line argument (WScript.Arguments(0)). The script takes the command as an argument and runs it using the Windows Script Host Shell object, while hiding the window of the executed program.
Another function from the macro, the vb_chain is responsible for orchestrating a series of actions, including creating and executing multiple scripts and scheduling tasks. The purpose of this function within the context of a malicious document is to establish a chain of events that likely includes downloading, extracting, executing files, and scheduling tasks on the infected system.
The function initializes objects and variables, including the Windows Script Host Shell object (objShell), the FileSystemObject (objFSO), and various file paths. It creates several files (unzFile.vbs, 2L7uuZQboJBhTERK.bat, etc.) with specific content written to each. The created batch files (2L7uuZQboJBhTERK.bat, 2BYretPBD4iSQKYS.bat, etc.) are executed using wscript.exe. It schedules a new task using schtasks to execute conhost.exe (extracted from cohost.zip file) after a minute.
unzFile.vbs VBScript file is responsible for extracting the contents of conhost.zip to a specified folder. The purpose is to unzip the contents of conhost.zip and make them accessible for further actions.
2L7uuZQboJBhTERK.bat batch file executes unzFile.vbs using wscript.exe, and then it executes skriven.vbs with 2BYretPBD4iSQKYS.bat as an argument. The purpose is to initiate the unzipping process and subsequently execute another script (skriven.vbs).
2BYretPBD4iSQKYS.bat batch file executes unz.vbs and then executes skriven.vbs with d.bat as an argument. D.bat batch file creates a scheduled task (ConsoleHostManager) to execute conhost.exe after a minute. Afterward, it executes skriven.vbs with e.bat as an argument. E.bat batch file is for cleanup purposes. It deletes unnecessary files (unzFile.vbs, 2L7uuZQboJBhTERK.bat, 2BYretPBD4iSQKYS.bat, d.bat, and e.bat itself). The final line executes the main VBScript (skriven.vbs) with an argument, initiating the execution chain.
Macro code exhibits advanced evasion techniques, leveraging VBScript, batch files, and scheduled tasks to achieve its objectives. The use of obfuscation and multi-stage execution makes it challenging to analyze and detect. The overall intent seems to be to establish persistence, hide malicious activities, and execute potentially harmful payloads on the victim’s system.
When victim opens the malicious Word file, victims are urged to enable macros, triggering the creation and deployment of VB scripts, BAT scripts, and the extraction of conhost.zip. This results in the installation of conhost.exe, mirroring Nim backdoor characteristics. Conhost.exe aims to connect to the adversaries’ C2 server for unauthorized access.
Following are the details related to “conhost.exe” file which is Nim Backdoor providing unauthorized access to the threat actors.
MD5: 777fcc34fef4a16b2276e420c5fb3a73
SHA256: 696f57d0987b2edefcadecd0eca524cca3be9ce64a54994be13eab7bc71b1a83
The sample file is 64-Bit PE executable having compiled time Sept-23, which is quite recent and indicates that campaign is running since September, as other file samples also are detected in the same period.
As per the OSINT investigation, the sample mentioned as reverseshell used to provide access to threat actors. Malicious actors frequently utilize a reverse shell as a strategy to illicitly obtain control over a compromised system. The reverse shell facilitates a connection from the victim’s machine to an external server under the attacker’s control. This establishes a backdoor entry, granting the malicious actor the ability to execute commands, transfer files, and potentially carry out additional attacks without direct engagement with the compromised system.
This trojan.khalesi family consists of malicious software that obstructs dynamic analysis. This software checks the environment for dynamic analysis tools and exits if they are found and same behaviour we noticed in the sample. The malicious binary detects various monitoring, malware analysis, network monitoring, debuggers and other analysis tools which include processhacker.exe, procmon.exe, pestudio.exe, procmon64.exe, x32dbg.exe, x64dbg.exe, CFF Explorer.exe, procexp64.exe, procexp.exe, pslist.exe, tcpview.exe, tcpvcon.exe, dbgview.exe, RAMMap.exe, RAMMap64.exe, vmmap.exe, ollydbg.exe, agent.py, autoruns.exe, autorunsc.exe, filemon.exe, regmon.exe, idaq.exe, idaq64.exe, ImmunityDebugger.exe, Wireshark.exe, dumpcap.exe, HookExplorer.exe, ImportREC.exe, PETools.exe, LordPE.exe, SysInspector.exe, proc_analyzer.exe, sysAnalyzer.exe, sniff_hit.exe, windbg.exe, joeboxcontrol.exe, joeboxserver.exe, ResourceHacker.exe, Fiddler.exe, httpdebugger.exe as shown below.
The following is the process tree corresponding to binary. The command “C:\Windows\system32\cmd.exe /c tasklist.exe” indicates that the Windows Command Prompt (cmd.exe) is being used to execute the tasklist.exe command periodically. The /c switch in cmd.exe is used to carry out the command specified and then terminate. Here, the Command Prompt is invoked to run the tasklist.exe command, which lists all running processes on the system. The overall purpose of this command could be to retrieve information about the currently running processes on the system and use for system monitoring or information gathering process.
The binary has several hardcoded URLs, possibly alternative C&C server URLs. Following are the URLs:
The detailed analysis of the sophisticated cyber threat orchestrated by the Sidewinder group underscores the evolving nature of cyber threats. The multi-stage attack chain, initiated through a malicious Word document, reveals a strategic blend of advanced evasion techniques and victim manipulation. The attribution to the Sidewinder group, with a history dating back to 2012, emphasizes the persistent and evolving nature of this threat actor.
The deployment of the Nim backdoor, serves as a stark reminder of the threat landscape’s complexity. This final payload acts as an unauthorized access gateway, connecting to the adversaries’ Command and Control (C2) server. This report sheds light on the threat actor’s proactive defense measures, with the malware detecting and exiting upon identifying various analysis tools. This demonstrates a calculated effort to thwart dynamic analysis and maintain the threat’s efficacy.
This comprehensive analysis aims to equip cybersecurity professionals, organizations, and individuals with the insights needed to enhance their defenses against evolving and sophisticated cyber threats. The dynamic landscape of cyber threats necessitates a proactive and informed approach to cybersecurity, and this report contributes valuable intelligence to that end.
| Sr No. | Indicator | Type | Remarks |
| 1 | E5859B366B93B05414E1E95D65CE7414 | MD5 File Hash | Malicious Macro Document |
| 2 | 4319a76108da6dbcc46a8e50dce25bace3dfe518 | SHA1 File Hash | Malicious Macro Document |
| 3 | 7459a6106d3562d72c7a4fee62d106064a3ed5b48e16474da2b448aeacc2a333 | SHA256 Hash | Malicious Macro Document |
| 4 | 777fcc34fef4a16b2276e420c5fb3a73 | MD5 File Hash | Conhost.exe |
| 5 | 5d2e2336bb8f268606c9c8961bed03270150cf65 | SHA1 File Hash | Conhost.exe |
| 6 | 696f57d0987b2edefcadecd0eca524cca3be9ce64a54994be13eab7bc71b1a83 | SHA256 Hash | Conhost.exe |
| 7 | http://mail.mofa.govnp.org/mail/AFA/ | URL | Hardcoded URLs |
| 8 | http://nitc.govnp.org/mail/AFA/ | URL | Hardcoded URLs |
| 9 | http://dns.govnp.org/mail/AFA/ | URL | Hardcoded URLs |
| 10 | http://mx1.nepal.govnp.org/mail/AFA/ | URL | Hardcoded URLs |
| No. | Tactic | Technique |
| 1 | Initial Access (TA0001) | T1566: Phishing |
| T1566.001: Spear phishing Attachment | ||
| 2 | Execution (TA0002) | T1204: User Execution |
| T1204.002: Malicious File | ||
| 3 | Persistence (TA0003) | T1547: Boot or Logon Auto start Execution |
| T1547.001: Registry Run Keys/ Startup Folder | ||
| 4 | Defense Evasion (TA0005) | T1140: Deobfuscate/Decode Files or Information |
| 5 | Discovery (TA0007) | T1057: Process Discovery |
| T1082: System Information Discovery | ||
| 6 | Exfiltration (TA0010) | T1041 – Exfiltration Over Command-and-Control Channel |
| 7 | Lateral Movement (TA0008) | T1021: Remote Services |
(Source: Surface Web (OSINT))
rule Office_Document_with_VBA_Project
{
meta:
description = “This signature detects an office document with an embedded VBA project. While this is fairly common it is sometimes used for malicious intent.”
Source: Surface Web (OSINT)
samples = “7459a6106d3562d72c7a4fee62d106064a3ed5b48e16474da2b448aeacc2a333”
strings:
$magic1 = /^\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00/
$magic2 = /^\x50\x4B\x03\x04\x14\x00\x06\x00/
$vba_project1 = “VBA_PROJECT” wide nocase
$vba_project2 = “word/vbaProject.binPK”
condition:
(($magic1 at 0) or ($magic2 at 0)) and any of ($vba_project*)
}
rule sandboxdetect_misc : sandboxdetect
{
meta:
source: Surface Web (OSINT)
description = “Sandbox detection tricks”
strings:
$sbxie1 = “sbiedll” nocase ascii wide
// CWSandbox
$prodid1 = “55274-640-2673064-23950” ascii wide
$prodid2 = “76487-644-3177037-23510” ascii wide
$prodid3 = “76487-337-8429955-22614” ascii wide
$proc1 = “joeboxserver” ascii wide
$proc2 = “joeboxcontrol” ascii wide
condition:
any of them
}
rule INDICATOR_SUSPICIOUS_References_SecTools {
meta:
source: Surface Web (OSINT)
description = “Detects executables referencing many IR and analysis tools”
strings:
$s1 = “procexp.exe” nocase ascii wide
$s2 = “perfmon.exe” nocase ascii wide
$s3 = “autoruns.exe” nocase ascii wide
$s4 = “autorunsc.exe” nocase ascii wide
$s5 = “ProcessHacker.exe” nocase ascii wide
$s6 = “procmon.exe” nocase ascii wide
$s7 = “sysmon.exe” nocase ascii wide
$s8 = “procdump.exe” nocase ascii wide
$s9 = “apispy.exe” nocase ascii wide
$s10 = “dumpcap.exe” nocase ascii wide
$s11 = “emul.exe” nocase ascii wide
$s12 = “fortitracer.exe” nocase ascii wide
$s13 = “hookanaapp.exe” nocase ascii wide
$s14 = “hookexplorer.exe” nocase ascii wide
$s15 = “idag.exe” nocase ascii wide
$s16 = “idaq.exe” nocase ascii wide
$s17 = “importrec.exe” nocase ascii wide
$s18 = “imul.exe” nocase ascii wide
$s19 = “joeboxcontrol.exe” nocase ascii wide
$s20 = “joeboxserver.exe” nocase ascii wide
$s21 = “multi_pot.exe” nocase ascii wide
$s22 = “ollydbg.exe” nocase ascii wide
$s23 = “peid.exe” nocase ascii wide
$s24 = “petools.exe” nocase ascii wide
$s25 = “proc_analyzer.exe” nocase ascii wide
$s26 = “regmon.exe” nocase ascii wide
$s27 = “scktool.exe” nocase ascii wide
$s28 = “sniff_hit.exe” nocase ascii wide
$s29 = “sysanalyzer.exe” nocase ascii wide
$s30 = “CaptureProcessMonitor.sys” nocase ascii wide
$s31 = “CaptureRegistryMonitor.sys” nocase ascii wide
$s32 = “CaptureFileMonitor.sys” nocase ascii wide
$s33 = “Control.exe” nocase ascii wide
$s34 = “rshell.exe” nocase ascii wide
$s35 = “smc.exe” nocase ascii wide
condition:
uint16(0) == 0x5a4d and 4 of them
}
(Source: Surface Web (OSINT))
title: Winword Drops Script In Startup
source: Surface Web (OSINT)
description: Winword.exe drops script file in startup location
threatname:
behaviorgroup: 1
classification: 7
logsource:
service: sysmon
product: windows
detection:
selection:
EventID: 11
Image: ‘*\Microsoft Office\Office*\WINWORD.EXE*’
TargetFilename:
– ‘*\AppData\Roaming\Microsoft\\*\STARTUP\\*.vbs*’
– ‘*\AppData\Roaming\Microsoft\\*\STARTUP\\*.js*’
– ‘*\AppData\Roaming\Microsoft\\*\STARTUP\\*.bat*’
– ‘*\AppData\Roaming\Microsoft\\*\STARTUP\\*.url*’
– ‘*\AppData\Roaming\Microsoft\\*\STARTUP\\*.cmd*’
– ‘*\AppData\Roaming\Microsoft\\*\STARTUP\\*.hta*’
– ‘*\AppData\Roaming\Microsoft\\*\STARTUP\\*.ps1*’
condition: selection
level: critical
title: Drops script at startup location
source: Surface Web (OSINT)
description: Drops script at startup location
threatname:
behaviorgroup: 1
classification: 7
logsource:
service: sysmon
product: windows
detection:
selection:
EventID: 11
TargetFilename:
– ‘*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.vbs*’
– ‘*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.js*’
– ‘*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.jse*’
– ‘*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.bat*’
– ‘*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.url*’
– ‘*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.cmd*’
– ‘*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.hta*’
– ‘*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.ps1*’
– ‘*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.wsf*’
condition: selection
level: critical
title: WScript or CScript Dropper
source: Surface Web (OSINT)
description: Detects wscript/cscript executions of scripts located in user directories
tags:
– attack.execution
– attack.t1059.005
– attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection1:
Image|endswith:
– ‘\wscript.exe’
– ‘\cscript.exe’
CommandLine|contains:
– ‘C:\Users\’
– ‘C:\ProgramData\’
selection2:
CommandLine|contains:
– ‘.jse’
– ‘.vbe’
– ‘.js’
– ‘.vba’
– ‘.vbs’
falsepositive:
ParentImage|contains: ‘\winzip’
condition: selection1 and selection2 and not falsepositive
fields:
– CommandLine
– ParentCommandLine
falsepositives:
– Winzip
– Other self-extractors
level: high
title: WMI Module Loaded By Non Uncommon Process
source: Surface Web (OSINT)
description: Detects a WMI modules being loaded by an uncommon process
references:
tags:
– attack.execution
– attack.t1047
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
– ‘\fastprox.dll’
– ‘\wbemcomn.dll’
– ‘\wbemprox.dll’
– ‘\wbemsvc.dll’
– ‘\WmiApRpl.dll’
– ‘\wmiclnt.dll’
– ‘\WMINet_Utils.dll’
– ‘\wmiprov.dll’
– ‘\wmiutils.dll’
filter_main_generic:
Image|contains:
– ‘:\Windows\explorer.exe’
– ‘:\Windows\Sysmon.exe’
– ‘:\Windows\Sysmon64.exe’
– ‘:\Windows\System32\’
– ‘:\Windows\SysWOW64\’
– ‘\Microsoft\Teams\current\Teams.exe’
– ‘\Microsoft\Teams\Update.exe’
filter_optional_other:
Image|endswith:
– ‘\WindowsAzureGuestAgent.exe’
– ‘\WaAppAgent.exe’
filter_optional_thor:
Image|endswith:
– ‘\thor.exe’
– ‘\thor64.exe’
filter_optional_defender:
Image|endswith: ‘\MsMpEng.exe’
filter_optional_dotnet:
Image|contains:
– ‘:\Windows\Microsoft.NET\Framework\’
– ‘:\Windows\Microsoft.NET\Framework64\’
Image|endswith: ‘\ngentask.exe’
filter_optional_programfiles:
Image|contains:
– ‘:\Program Files\’
– ‘:\Program Files (x86)\’
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
– Unknown
level: low
