Key-logging malware, dubbed EHDevel, found intelligence gathering
Key-logging malware, dubbed EHDevel, found intelligence gathering

The malware, dubbed EHDevel, has been used by attackers, thought to be nation-state hackers, to gather intelligence. According to a Reuters report, a cyber-spying campaign is currently being waged against Indian and Pakistani entities.

The malware allows hackers to log keystokes, identify a victim's location and steal personal data. The malware also uses a complex mix of transitions from one programming language to another, code under active development, and bugs that were not spotted during the QA process.

In a white paper, security researchers from Bitdefender said that a year ago they came across a suspicious document called News.doc.  However, unlike most potentially malicious documents that get processed in its labs, this file displayed similarities with a set of files known to have been used in separate attacks targeted at different institutions.

Further investigations found that is used a malware framework that uses a handful of novel techniques for command and control identification and communications, as well as a plugin-based architecture, a design choice increasingly being adopted among threat actor groups in the past few years.

According to Bitdefender, this current operation has an identical mode of operation.

“Another important discovery lies in the fact that this specialised framework that has been used to gather field intelligence for years in different shapes and forms, and our threat intelligence suggests a connection with the 2013 Operation Hangover APT as well,” said researchers.

The researchers said that the payload is embedded at the end of the RTF file, together with the decoy document. Once the RTF file is open, the payload is decrypted and dropped on the disk in the %LOCALAPPDATA% folder. The executable file contains all the tools required to carry out its mission.

Chris Doman, security researcher at AlienVault, told SC Media UK that plugin-based malware is typically seen in attackers employing a group of people that are active against many targets. 

“BitDefender points to potential links to a set of attacks previously exposed as Operation Hangover. In that case the attackers were shown to be towards the bottom-end of APT groups - the operators mistakenly registered domains under their own names, and even used one of their company file shares as an open command and control server. That meant the attackers were exposing their own company documents whilst they were attacking other people,” he said.

“It's possible these attacks continue to be executed by the same organisation, or some of their former employees. Whilst they have been known to attack western companies most of the attacks seem to be in the context of the India-Pakistan relations. They are an interesting example of how attackers, even if lowly skilled, can compromise networks if they are persistent enough. It's key to be able to detect such attackers once they've got past perimeter defences, and to be aware if you are a target.”

Josh Mayfield, platform specialist, Immediate Insight at FireMon, told SC Media UK that we are dealing with a taxonomy of malware that will not trigger any alerts. 

“Organisations who adopt an assumption of compromise can protect themselves by regularly hunting for threats, using discovery methods to find previously unknown tactics specific to their environments.  It is within this mindset that we can explore the potential problems we have not modeled,” he said.

Anton Cherepanov, senior malware researcher at ESET, told SC Media UK that his firm has documented many similar cases, with BlackEnergy malware being probably one of the most prominent.

“It used a core component and modules, that allowed the attackers to take control of the targeted machines, spy on their activity or damage them. Particularly thanks to the modularity, the functionality of the malware was not always the same. In some cases – such as the attack on Ukrainian media or energy sector at the end of 2015 – a destructive component was present, while in other cases – where information extraction seemed to be the primary goal - spyware capabilities dominated,” he said.