Watering hole” threat analysis in the government sector of Kazakhstan

28.05.2021
by VirLab team

While studying the threat landscape of Kazakhstan as a part of the Threat Intelligence phase, T&T Security experts discovered the so-called Razy malware family. The investigated samples of the Razy family apparently were used to infect users in the form of a Trojan downloader masquerading as a regular office document (Word, Excel and Adobe PDF). Attackers usually spread Razy using a “Watering hole” attack.

The “Watering hole” is an attack where attackers locate malware on a legitimate, possibly previously hacked, site visited by a potential victim.

Thus the attacker achieves the trustworthiness effect since the link to the malicious file will likely be on a victim’s list of trusted sites.

Two of the analysed cases caught our sharp attention, in which the attackers spread the malware using the watering hole attack on the e-government portal (egov.kz).

Malicious links:

  • hxxps://legalacts.egov.kz/application/downloadnpa?id=5322314
  • hxxps://budget.egov.kz/budgetfile/file?fileId=1520392

At the same time, the second malicious Razy sample (at budget.egov.kz) was still available for download on the site at the time of detection.

The files are the same malicious Razy Trojan downloader. We assume that cybercriminals published the malicious software under the pretence of office documents by gaining access to uploading files to the legalacts.egov.kz and budget.egov.kz. The first document is a resolution of the district administration. The second, created in 2021, is a financial summary of the administration's budget. That implies the attacker posted the Razy malware in 2021, accordingly.

We assume that these attacks targeted specific companies that may be using these documents. And most likely, the attackers did not aim for the mass attack on the citizens of Kazakhstan, and the public exposure of the samples themselves is most likely a side effect. The rest of the Razy samples are also documents of different kinds, e.g. the resolution of the district administration. That means cybercriminals look for the documents suitable for the victim and embed them into the final malicious file.

One should note, by the time of publication, the malware control server (C&C server) has already been disabled, and that is currently, these samples cannot load any additional malicious functionality.

Together with the accountable employees of Zerde National Information & Communication Holding JSC, the T&T Security team worked to detect the Razy related incidents and block the caused spreading of malicious content.

tLab successfully detects and blocks this threat, which can be seen in the video below. tLab works on the principle of zero trust based on deep behavioral analysis, and high throughput allows you to analyze tens of thousands of files per day without filters and whitelisting, then our solution effectively blocks such threats even using an attack at the watering hole. Since tLab is used as part of the Cyber ​​Shield of the Republic of Kazakhstan, we can say that the state is ready to repel such threats.

Samples technical analysis

Razy, first spotted in 2015, has been used for attacks to these days. Below is a diagram of how Razy works. One can see that when a user launches a sample, a malicious payload gets activated, and an actual legitimate document embedded in malware pops up.

T&T Security monitored the monthly amounts of Razy malware samples found on Virustotal and discovered a sharp increase in May 2021. Most of the detected malware samples to target Kazakhstan belong to the same period. That is, the embedded documents come from the Kazakh institutions.

Razy stats from alienvault.com
(2015 - 2019)
Razy stats from alienvault.com
(2020)
Razy stats from alienvault.com
(2021)

We researched the following files.

  • 2 6>10 @CA.exe
    SHA256: 20f7a8258f83862ae6638a6bd1ad0bc83d40928a89eb40c720934db9b65f4bec
  • эльвира отчет.exe
    SHA256: b06e65a0009ae771566db075c0f5850799977b4a982d7d6a63565a184be60796
  • Отчёт по практике.exe
    SHA256: 219c44420a95370a22ef806244033c2a21e94b7500fc780fc8e4f25183f745bc
  • 24160712_ExSteppeEagle_INTSUM_S2_160X_E_O.exe
    SHA256: 2F6C1C2C4043CA6D19ADDD60FA85A5AD6D347075E73AE1E1DCB76D5CC5224573
  • eastmere vil.exe
    SHA256: 7615E69D6FA11FC851C4CD10DDEE3820ACFC6170578C61AE74B6D4FD8EA71E10
  • OWNSITREP 241700AJUL16 G3.exe
    SHA256: 8FA473C03850B22C2C6AADCFE69268BE4E4C7A33881581FEA83789755AF8F22A
  • 61c98d12-06b1-4f5d-9c12-ace5630dcc07
    SHA256: 3ED1B88C9AE34BA4FFBF8AED737F2DC9A0AEDEEDF8D2A4A69555518845E16264

The identical PDB file paths and the timestamps found in all six samples indicate they were all created by a single “MultiLauncher” tool.

PE file characteristics:

Most of the samples contain a document displayed to the user in resource number 200.

The samples contain icon sets for all types of documents. The final file uses one of the types. That leaves us with a conclusion the creators were using one tool and were choosing the required document type in the final build.

There are Razy builds that do not contain malicious documents:

  • 1f35ce5d620f4eddbfbff5fd1b6142b002bb6a537b864d7745d96ddfd8424bd6
  • 3a050db9c571eafd5b1dccb412991434bd0a0fc52c4771274018420a08af4c00

That explains that the attacker always looks for the “right” documents before embedding them into the final file.

The resource can be a PDF file also.

Usually, Razy is an EXE file with an office document icon.

The actual file extension
Most of the time, the attackers set up an office document icon for an executable file to mislead the user. When the user launches a file, he sees an opened office document, and a malicious EXE file will perform other operations.
SHA256:219c44420a95370a22ef806244033c2a21e94b7500fc780fc8e4f25183f745bc
SHA256:b06e65a0009ae771566db075c0f5850799977b4a982d7d6a63565a184be60796
SHA256:20f7a8258f83862ae6638a6bd1ad0bc83d40928a89eb40c720934db9b65f4bec
SHA256:2F6C1C2C4043CA6D19ADDD60FA85A5AD6D347075E73AE1E1DCB76D5CC5224573
SHA256:8FA473C03850B22C2C6AADCFE69268BE4E4C7A33881581FEA83789755AF8F22A
SHA256:3ED1B88C9AE34BA4FFBF8AED737F2DC9A0AEDEEDF8D2A4A69555518845E16264

All objects have the same functionality but different office documents. Since all of the samples are just variants of the same family, consider one of them.

20f7a8258f83862ae6638a6bd1ad0bc83d40928a89eb40c720934db9b65f4bec

This object is an EXE file with an icon of a Word document. At a closer look, one can conclude, it is a dropper for office documents.

Summary of the object in the tLab system:

Launching the EXE file will result in a regular office document hiddenly located in the current folder.

Created hidden office document

The malicious file contains office document in its resources (DATA - 200):

The first bytes of the file in the resources determine the type of the embedded document. In this case, the “4B 03 04 14 00 06 00 08 00” signature corresponds with the Microsoft Office Open XML Format.

When launched, the Razy malware detects the type of displayed document given the information from the resource number 300 (0x12C):

The resource containing real extension of the file

Next, the reading of the original office document from the resource number 200 (0x0C8) begins, using the FindResource, LoadResource, LockResource, SizeOfResource functions:

Functions for working with resources
Code for working with resources under the DATA identifier

In the tLab sandbox, when uploading a file, one can see a potential threat indicator:

The result of static analysis on the tLab system

A malicious file opens a created document in Word using the ShellExecuteW function:

The ShellExecute function opens the passed file in a program associated with specific extensions. For example, if the file has the DOCX extension, it will be opened by the program registered to open such files (in our case, Microsoft Word).

The T&T Security sandbox also builds a graph of the dynamic behaviour of an object:

A detailed report on the tLab system

The Word document does not contain any macros and is not malicious, according to the initial analysis. Presumably, the purpose of opening an office document is to conceal malicious activity.

At the same time, the malicious file creates a copy of itself in the APPDATA \ RAC folder under the name mls.exe:

Detection in tLab system

One can also observe this activity through the system call logs

Next, mls.exe sets itself to startup in the registry with the -s parameter:

Autoload indication on the tLab system

The file is present in the AutoStartup section of the T&T Security forensics tool

Malicious file at autorun in T&T Security forensics tool

After rebooting, mls.exe will run with the -s option

The condition for the file restart

After starting with the -s parameter, it calls the addresses hxxp: //wxanalytics.ru/net.exe.config and hxxp: //wxanalytics.ru/net.exe

PCAP file content view on the tLab system

The file can run with the -cs and -cc options. In this case, it takes the location path for the original malicious file.

Handling the -cs parameter
Handling the -cc parameter
File moving code

By looking at the list of malicious files that have accessed the same addresses, we will see they have different names.

List of malicious files accessing vwanalytics.ru
Attackers often name malicious files based on the area of interest of potential victims.

Several samples of malicious files on this list were uploaded documents to legalacts.egov.kz and budget.egov.kz. As previously noted, this type of attack is called a watering hole attack.

Malicious links:

  • hxxps://budget.egov.kz/budgetfile/file?fileId=1520392
  • hxxps://legalacts.egov.kz/application/downloadnpa?id=532231

The files are the same old malicious Razy downloader Trojan. We assume that cybercriminals published malicious software under the guise of DOCX by gaining access to uploading files to the legalacts.egov.kz site. As of May 11, 2021, only a few well-known anti-viruses identified the object, while none of them could detect the link to the object itself as malicious.

Conclusion

These days even an ordinary user can unravel such techniques as hiding files and faking the icons.
The malicious Trojan downloader itself is not packed in any way to stay undetected by the antivirus signature. The file creation date indicates the use of old-style malware. The hash sums of the studied samples (without resources) coincide with so many other files seen in similar attacks.
All this suggests that the attackers, in this case, used quite an old malware, changing only the office document displayed to the user, which indicates the low qualifications of the attacker. Regardless, the Razy Trojan still poses a live threat and uses actual white papers.