APT-C-35 – VICEROY TIGER – INDIA

Overview

VICEROY TIGER is a threat actor believed to be linked to India, historically targeting various sectors across multiple countries. However, since 2015, this adversary has shifted its focus primarily to entities in Pakistan, especially government and security organizations. VICEROY TIGER consistently uses spear-phishing emails with malicious Microsoft Office documents, Android-targeted malware, and phishing activities aimed at harvesting user credentials.

In March 2017, the 360 Chasing Team identified a sample of targeted attacks that confirmed previously unknown actions by this APT group, tracing activity back to at least April 2016 and naming the group APT-C-35. By June 2017, the 360 Threat Intelligence Center discovered and exposed new attacks by this group against Pakistan, providing a detailed analysis of their unique EHDevel malicious code framework.

Additional Information

Organizations operating in high-risk sectors or regions targeted by APT-C-35 should implement robust cybersecurity measures. Key recommendations include avoiding the download of documents from unknown sources, addressing vulnerabilities like CVE-2017-11882, and monitoring for suspicious executable files.

Common targets

Mostly targets the Kashmir region due to the Kashmir Conflict. The group targets: Governments, Military organizations, Ministries of Foreign Affairs, Embassies.

Attack Vectors

The group is conducting spear phishing campaigns. During spear phishing campaigns, they deliver their malware as documents containing malicious macros.

How they work

APT-C-35 employs a variety of advanced tactics to carry out its espionage operations. Here’s a detailed look at their operational methods:

1. Spear Phishing and Malware Delivery

APT-C-35’s primary method of attack is spear phishing. The group crafts targeted emails containing malicious attachments or links. These emails are carefully designed to appear legitimate, often impersonating trusted sources or organizations. The attachments usually include documents with embedded macros or scripts that exploit known vulnerabilities in Microsoft Office applications.

Exploited Vulnerabilities:

CVE-2017-11882: A critical memory corruption vulnerability in Microsoft Office, which allows remote code execution when a malicious document is opened.
CVE-2018-0802, CVE-2017-0199, CVE-2017-8570: Other vulnerabilities used to deliver and execute malware through Office documents.

2. Exploitation and Remote Code Execution

Once the victim opens the malicious document, it triggers the exploit, allowing APT-C-35 to execute arbitrary code on the victim’s machine. This code often functions as a dropper, which installs additional malicious components. These components may include:

Keyloggers: Capture keystrokes to gather sensitive information like passwords.
Screen Capture Tools: Take screenshots of the victim’s activities.
Data Collectors: Extract files and other relevant data from the compromised system.

3. Advanced Malware Frameworks

APT-C-35 utilizes sophisticated malware frameworks such as:

YTY Framework: A modular, plugin-based framework that facilitates data collection, keylogging, and remote access. It consists of multiple downloaders that install and execute various malicious modules, including backdoors and data exfiltration tools.
DarkMusical, Jaca, Henos: Various malware types employed for specific attacks, often delivered through different file formats such as PowerPoint or Excel documents.

4. Android Malware Distribution

In recent campaigns, APT-C-35 has extended its operations to mobile platforms. They create rogue Android applications that masquerade as legitimate software. These apps are distributed through Google Play or other app stores and may appear under names like “iKHfaa VPN” or “nSure Chat.” The malicious apps use techniques such as:

Deceptive User Interfaces: The apps display fake error messages or notifications to mislead users into thinking the app is functioning normally or has been deleted, while continuing to perform espionage tasks in the background.
Data Exfiltration: The apps capture and transmit personal information, including usernames and passwords, to command and control servers.

5. Command and Control Infrastructure

APT-C-35 uses command and control (C2) servers to manage their malware and receive stolen data. These servers are often disguised as legitimate websites or services to avoid detection. The malware communicates with these servers using encrypted channels to exfiltrate data and receive further instructions.

6. Evasion Techniques

To evade detection, APT-C-35 employs several techniques:

Obfuscation: Malware code is often obfuscated or packed to hinder analysis and detection.
Sandbox Evasion: The malware includes checks to detect if it is running in a sandbox or virtual environment, avoiding execution in such cases.

7. Targeted Campaigns and Adaptation

APT-C-35 tailors its attacks to specific targets based on geopolitical interests. For example, their recent campaigns have focused on entities in the Kashmir region due to ongoing territorial conflicts. The group continuously adapts its tactics and tools to overcome security measures and achieve their espionage objectives.

MITRE Techniques used

Initial Access

• T1566 – Phishing: Sending malicious emails to gain initial access.

Execution

• T1059 – Command and Scripting Interpreter: Using command-line tools or scripting languages for execution.

Persistence

• T1547 – Boot or Logon Autostart Execution: Creating or modifying registry entries or startup folders to maintain persistence.
• T1053.005 – Scheduled Task/Job: Scheduled Task: Creating or modifying scheduled tasks to persist.

Privilege Escalation

• T1068 – Exploitation for Privilege Escalation: Exploiting vulnerabilities to gain elevated privileges.

Defense Evasion

• T1027.001 – Obfuscated Files or Information: Binary Padding: Adding padding to binaries to evade detection.
• T1027.002 – Obfuscated Files or Information: Software Packing: Compressing or encrypting software to evade detection.

Credential Access

• T1005 – Data from Local System: Collecting credentials and other data from local systems.
  
• T1110 – Brute Force: Attempting to guess passwords to gain access.

Discovery

• T1083 – File and Directory Discovery: Enumerating files and directories on the system.
• T1057 – Process Discovery: Identifying processes running on the system.
• T1018 – Remote System Discovery: Identifying remote systems on the network.
• T1082 – System Information Discovery: Gathering system configuration details.
• T1016 – System Network Configuration Discovery: Discovering network configuration details.
• T1033 – System Owner/User Discovery: Identifying system users and owners.

Lateral Movement

• T1021 – Remote Services: Using remote services like RDP or SMB to move laterally.
  Collection
• T1113 – Screen Capture: Taking screenshots of the victim’s desktop.
• T1005 – Data from Local System: Collecting data from the local file system.

Exfiltration

• T1041 – Exfiltration Over Command and Control Channel: Sending data out over the same channel used for command and control.

Impact

• T1486 – Data Encrypted for Impact: Encrypting data to demand a ransom or disrupt operations.

Evasion Techniques

• T1497.001 – Virtualization/Sandbox Evasion: System Checks: Checking if the environment is virtualized or sandboxed to avoid detection.

Communication

• T1102.002 – Web Service: Bidirectional Communication: Using web services for bidirectional communication with command and control servers.

Significant Attacks

Attacks on Southeast Asian Governments:

2016: APT-C-36 targeted various Southeast Asian government agencies. These attacks involved sophisticated phishing campaigns aimed at stealing sensitive diplomatic and governmental information.

Compromise of Healthcare Organizations:

2018: The group was linked to attacks on healthcare organizations in the region. They used phishing emails to deploy custom malware, which allowed them to access and exfiltrate sensitive patient data.

Exploitation of Zero-Day Vulnerabilities:

2019: APT-C-36 was involved in exploiting zero-day vulnerabilities in widely-used software to gain unauthorized access to target networks. This included leveraging vulnerabilities in public-facing applications.

Cyber Espionage Campaigns Against Military and Defense Entities:

2020: The group conducted targeted attacks against military and defense organizations, aiming to steal sensitive information related to defense strategies and operations.

Attacks on Diplomatic Entities:

2021: APT-C-36 was reported to have targeted diplomatic missions and organizations. The attacks involved advanced phishing techniques and malware to capture diplomatic communications and other sensitive data.

Use of Custom Malware for Persistence:

2022: The group used custom malware, including tools for credential harvesting and keylogging, to maintain persistence and facilitate further intrusions into compromised networks.

References

• APT Profile: APT-C-35 / DoNot Team
• The DoNot APT
• APT-C-35 Gets a New Upgrade
• DoNot Go! Do not respawn!
• DoNot APT Group Delivers a Spyware Variant of Chat App
• Donot Team Leverages New Framework
• VICEROY TIGER Delivers New Zero-Day Exploit
• New mobile malware spread by the DoNot (aka APT-C-35) APT group
• Foxit PDF “Flawed Design” Exploitation