Introduction A sophisticated malware campaign has been identified actively targeting military and government entities in Bangladesh. This attack employs social engineering tactics to deliver malicious payloads disguised as official documents. The primary goal appears to be infiltrating secure networks, stealing credentials, and gaining unauthorized access to sensitive systems.
Observed Attack Vector The attack begins with a WhatsApp message forwarding an archive file (e.g., 508.rar) under the guise of a security clearance letter. The sender impersonates a high-ranking military officer, such as “MD. Mahbubur Rashid, PMO,” to create a sense of legitimacy and urgency.
- Sender: 01890925067
- Message Content:
“Enclosed please find the security clr letter, for your info and actions pls.
With regards,
MD. Mahbubur Rashid, PMO”
Technical Analysis of the Payload Upon extraction, the RAR archive contains an executable or script that executes malicious code. Based on previous attack patterns, this payload is likely to include:
- Remote Access Trojans (RATs): Providing attackers with full access to the compromised system.
- Credential Harvesters: Capturing login credentials of government personnel.
- Keyloggers and Screen Capture Modules: Recording keystrokes and screenshots to extract sensitive data.
- Lateral Movement Tools: Enabling attackers to propagate within the targeted network.
Exploitation of WinRAR Vulnerability (CVE-2023-38831) Threat Intelligence Community Bangladesh suspects that this malware campaign is exploiting CVE-2023-38831, a critical vulnerability in WinRAR versions earlier than 6.23. If opened on a vulnerable system, this file could execute arbitrary code, potentially granting unauthorized access. The malicious archive 508.rar is specifically engineered to exploit this flaw, possibly installing malware or escalating privileges on affected machines.
Network Communication and C2 Analysis Further analysis of the malware’s behavior reveals that 508.pdf.exe establishes a network connection to 146.70.158.177, an IP address associated with M247 Europe SRL, a VPN provider based in Paris, France. M247 Europe SRL is a global service provider offering hosting, cloud, and connectivity solutions, but it has also been linked to suspicious web traffic and potential fraudulent activities.
- Confirmed Indicators of Compromise (IoC):
- IP Address: 146.70.158.177
- Remote Port: 8443 (TLS encrypted communication)
- Hosting Provider: M247 Europe SRL
- Usage Type: Data Center/Web Hosting/Transit
Given M247’s history of hosting questionable activities, there is a high likelihood that this infrastructure is being used as a Command and Control (C2) server for exfiltrating sensitive data or executing remote commands on infected systems.
Malware Hashes and Threat Intelligence Analysis The identified malware samples associated with this attack have been analyzed, but currently, they are not flagged in popular threat intelligence databases.
- MD5 Hash: 455a3eab4fc7d2f77cea7a3bc9eb92b9
- SHA256Hash: fc0c2e389eb3be3f041f84e1a89ba93d40374109cd20a2395b68f8c698c788a
Affected Systems Any system running WinRAR below version 6.23 is at immediate risk. It is crucial for all government and military personnel to update their WinRAR software to the latest secure version.
Social Engineering Tactics
- Spoofed Identities: Attackers use forged identities of military officials to establish credibility.
- Urgency and Importance: Messages request immediate action to bypass suspicion and standard security protocols.
- Use of Forwarded Messages: Mimicking legitimate message chains to make detection harder.
Impact on National Security
- Exposure of Classified Information: Compromised accounts may leak sensitive documents and internal communications.
- Network Infiltration: Attackers can establish long-term persistence within military and government IT infrastructure.
- Operational Disruption: Malicious activity could disrupt government services or operations through ransomware or destructive payloads.
Mitigation Measures
- User Awareness Training: Government and military personnel must be trained to identify and report suspicious messages and attachments.
- Strict Message Filtering Policies: Block unknown archive files and unknown executable files by default.
- Advanced Threat Detection: Deploy behavioral analysis tools to detect anomalous activities.
- Endpoint Protection: Ensure all government and military devices have updated antivirus and endpoint detection solutions.
- Multi-Factor Authentication (MFA): Enforce MFA to minimize credential theft impact.
- Update WinRAR Immediately: All users must update to WinRAR 6.23 or later to mitigate the risk of CVE-2023-38831 exploitation.
- Monitor Network Traffic: Actively monitor network logs for any connections to the known C2 infrastructure (146.70.158.177) and block traffic if detected.
Conclusion This campaign highlights the ongoing cyber threats facing Bangladesh’s critical sectors. BCSI strongly advises all government and military entities to exercise heightened vigilance and adopt proactive security measures. Investigations are ongoing to attribute the attack and mitigate its impact.
Threat Intelligence Collaboration The information in this report was gathered in collaboration with Threat Intelligence Community Bangladesh, a BCSI community partner, which is actively monitoring the evolving cyber threat landscape. Their analysis and expertise have played a crucial role in identifying and mitigating this threat.
Call to Action If you receive similar suspicious messages, do not open the attachment. Report the incident to BCSI immediately via [email protected] Ensure your system is running an updated version of WinRAR and follow cybersecurity best practices. Our team is actively tracking this threat and working with relevant agencies to neutralize its impact.
