Cylance: Spy campaign targeting Pakistani officials installs malware, then surrenders
A previously unobserved threat actor with the characteristics of a nation-state is using advanced techniques to target Pakistani officials with spyware, according to a report published by cybersecurity company Cylance on Monday.
The researchers describe “Operation Shaheen” as sophisticated espionage campaign targeting people connected to the Pakistani military or government agencies. Through a combination of old and new methods, the perpetrators, which Cylance labels “White Company,” try to deploy spyware onto their victims’ systems while avoiding detection. At a certain point, however, the malware purposefully exposes itself for unclear reasons.
Cylance said that White Company’s sophisticated methods of compromise, its evasion techniques and its targets suggest that it’s a previously unseen threat actor and is likely state-sponsored. Attribution-wise, Cylance’s assessment doesn’t get much more specific than that, as the researchers “found no mistakes that might reveal the true identity of The White Company.”
The report breaks down the espionage campaign into two phases. Phase one entails a phishing campaign in which 30 malicious text documents are circulated to targets that are in or have some connection to the Pakistani military. The documents cleverly reference events or issues that pertain to their targets, Cylance says, making them look innocuous. If opened, the documents would execute a shellcode — instructions written in low-level computer language — that would cause actual malware to be downloaded from an external source. Notably, Cylance says it’s not clear if any of these lures worked or if the targets fell for the scam.
Those external sources were legitimate Pakistani websites, the researchers say. That means the websites were likely compromised and their domains were unknowingly being used to host White Company’s malware. Compromised websites include an engineering branch of Pakistan’s army and a dental equipment supplier that services the military.
Cylance described the malware that these documents dropped into the targets’ systems as simple remote access trojans (RATs) that have been previously observed. And White Company appeared to exploit a five-year-old flaw in Microsoft Word that has long been patched in order to drop the payload. Given the “off-the-shelf” nature of the methods in this first phase, Cylance says it initially dismissed this threat actor as unsophisticated.
Despite seeming so benign, Cylance says the RATs in both phases are able to deploy spyware that could steal data like keystrokes and credentials, access the desktop remotely and gain microphone and camera access.
“In this case, the decision to heavily obfuscate a common RAT struck us almost as a cruel joke — a complicated, resilient series of outer shells raised expectations of an elaborate or rare flavor of malware within, but instead, delivered plain old boring vanilla,” the report says.
Things were different with the second phase, the researchers wrote. From December 2017 through at least February 2018, the phishing documents started arriving with malware already embedded in them, exploiting a more recently patched Microsoft Word zero-day that was later patched.
“In this way, The White Company transitioned from using a relatively simple, cookie-cutter exploit that was developed after patch to gaining access to an exploit developed by an entity in the zero-day market and making highly advanced modifications to it,” the report says.
Additionally, the malware in Phase two would run checks to see if the victim’s computer had any one of eight anti-virus programs installed: Kaspersky, Quick Heal, AVG, BitDefender, Avira, Sophos, Avast and ESET. The malware then avoids being detected by these programs until, in peculiar fashion, surrendering to them at specific date. Cylance researchers found different dates for the malware to surrender to each individual anti-virus program. The report suggests this is a distraction.
“The White Company choosing not to do this indicates that they wanted the alarm to sound. This diversion was likely to draw the target’s (or investigator’s) attention, time, and resources to a different part of the network. Meanwhile, The White Company was free to move into another area of the network and create new problems,” the researchers say.
The researchers reportedly engaged with Pakistan’s Computer Emergency Response Team (CERT) to understand why White Company was focusing on the eight specific anti-virus programs, but said that the CERT ceased communication “after learning more about the nature of our findings.”
Cylance says that it wasn’t able to glean anything about White Company’s identity from the various parts of Operation Shaheen’s command and control infrastructure that it observed. But one IP address is still active, which “suggests strongly that Operation Shaheen is ongoing,” the report says.