Dropping Elephant used a watermark and the same TTPs like APT Sidwinder.
After an article of Unit 42 about Dropping Elephant,
I make some researches about the dropper used the vulnerabitliy CVE cve-2017–11882 named Port Details.doc. I found the file. I’ve analysed it and i found another watermark like SideWinder in the exploit.
I develop a yara rule to make hunting on vti:
rule dropper_elephant {
strings:
$head = “{\\rt”
$water = { 33 35 33 32 33 34 36 36 36 31 33 36 33 33 36 31 33 35 33 30 30 30}
condition:
$head at 0 and $water
}
I found another malware and I check the C2.
The malware d3122d94a7fde33bc1f35ab49f56408a19a46847cce3686ff40c7a5f2ff71ca1 contact 203.124.43.229 ans behind the domain we found fst.gov.pk
and another malware 52c10f300f15e6b4f7e3e1989a35c7d2719217f4d3d64fe0afcf83bb922ec61f of the same family contact the URL fst.gov.pk/images/winsvc
In the same conclusion by Unit 42.
Another thing interesting, it’s the sequence of TTPs. It’s very close to Sidewinder in another campaign. The groupe use HTA hxxp://jtabserver.org/bins/index.hta by an RTF File. This hta dropped an poswershell content to install the backdoor.
I think a commercial tool is behind this exploits to install the backdoor.
If you have intel about this tool, I’m very interesting by that.
