Healthcare
Education
IT & Telecom
Government
CISO/CTO
DevSecOps
Product
Our Product
We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.
Solutions
By Industry
BFSI
Healthcare
Education
IT & Telecom
Government
By Role
CISO
Application Security Engineer
DevsecOps Engineer
IT Manager
Resources
Resource Library
Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.
Subscribe to Our Weekly Threat Digest
Company
Contact Us
Have queries, feedback or prospects? Get in touch and we shall be with you shortly.
RAT
Reconnaissance
PowerShell
Government themed malware campaigns disguised as Bunse Technologies deployed commodity RATs to exploit CVE-201-1882
Government-themed malware campaigns driven by APT Groups disguised as a Pakistani IT firm, Bunse Technologies to deploy commodity RATs targeting India & Afghani...
24-Oct-2021
3 min read
Cisco Talos recently discovered a new crimeware campaign that uses political and government-themed sites to target India and Afghanistan. Cisco Talos has described the threat actor as a “lone wolf” who uses IT companies as a front to carry out campaigns. The attacks exploit a memory corruption vulnerability in Microsoft CVE-2017-11882 using dcRAT and QuasarRAT. Such commodity RATs are used to gain complete control of a system, starting from preliminary recon to arbitrary command execution and data exfiltration.
Decoy image of Afghan theme
Their lures included diplomatic and humanitarian themes for which they registered several domains to deploy payloads. The threat group impersonates a Pakistani IT firm called ‘Bunse Technologies’ to conduct operations.
Bunse Technologies
Reconnaissance
Initial Intrusion utilized an RTF to exploit a code execution vulnerability in Office- CVE-2012-11882. It would execute malicious PowerShell scripts that distributed the malware further.
In stage 1, base64 decodes the payload for the upcoming stage via certutil.exe and executes it. At stage 2, another payload is decoded by base64, and it’s the loader executable this time that activates on the infected endpoint.
base64 encoded as fake certificate
Stage 3 compiles a C# code into an executable format that invokes an intrusion point for the malicious script. The final payload is a C# code that is compiled in stage 4, whose two main functionalities are file enumerator and file infector modules.
Attack
The attack phase begins with malicious RTF documents exploiting CVE-2017-11882 that run a PS1 script. Another PowerShell command is created by the BAT file on stage 2, this downloads the final payload and executes at endpoints. The endpoints contain three types of payloads, dcRAT, QuasarRAT, and a legitimate copy of AnyDesk.
PowerShell Command
"The use of a custom file enumerator and infector module by the attackers indicates their intent to proliferate by infecting benign, trusted documents to achieve an even greater degree of infection," said researchers.
Related Articles
Solutions
Secure Blink automates the web application and API security for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.
Find Us Online
contact@secureblink.com
