#Keybase keylogger manual#
The attackers used this technique to delay, divert and confuse the manual analysis. The macro also contained lot of junk code, unnecessary comments and variable assignments as shown below.
#Keybase keylogger code#
The macro code was heavily obfuscated (used obscure variable/function names to make analysis harder) as shown below. The malicious macro code was reverse engineered to understand its capabilities. Once the the macro content is enabled, it calls an auto execute function Workbook_Open() which in turn downloads the malware sample and executes on the system.
#Keybase keylogger how to#
When the recipient of the email opens the attached excel file it prompts the user to enable macro content and the excel also contains instruction on how to enable the macros. It looks like attackers carefully researched (or they already knew about) the trust relationship between these two companies.įrom the email it looks like the goal of the attackers was to infect, take control of the systems of users associated with Mazagon Dock Shipbuilders Limited (MDL) and to steal sensitive information (like Product design documents, blueprints, manufacturing processes etc) related to warships and submarines. This is probably the reason attackers spoofed the email id of Hidrofersa as it is less likely to trigger any suspicion and there is high chance of recipients opening the attachment as it is coming from a trusted equipment manufacturer (Hidrofersa). Mazagon Dock Shipbuilders Limited (MDL) is listed as one of clients of Hidrofersa (mentioned in Hidrofersa website) and as per their website Hidrofersa has shipped equipments to Mazagon Dock Shipbuilders Limited (MDL) in the past as shown in the below screen shots. The email was made to look like it was sent by a General service manager of Hidrofersa enquiring about the product delivery schedule.īelow screen shot shows the recipients associated with Mazagon Dock Shipbuilders Limited (MDL), this information was determined from the Email header. The email attachment contained two malicious excel files (both excel files turned out to be same but used different names). On 25th January (day before the Republic day) attackers spoofed an email id associated with Hidrofersa a Spain based company which specializes in designing, manufacturing naval, industrial and mining machinery and the email was sent to the users of Mazagon Dock Shipbuilders Limited (MDL). INS Chennai and Kalvari class submarines were manufactured by Mazagon Dock Shipbuilders Limited (MDL). On 26th January, 2017 Indian Navy displayed its state-of-the-art stealth guided missile destroyer INS Chennai and the indigenously-made Kalvari class Scorpene submarines at the Republic Day parade showcasing India’s military strength and achievements. The attackers spoofed the email id associated with a Spain based equipment manufacturing company Hidrofersa which specializes in designing, manufacturing naval, industrial and mining machinery.
The email purported to have been sent from legitimate email ids. In order to infect the users associated with Mazagon Dock Shipbuilders Limited (MDL), the attackers distributed spear-phishing emails containing malicious excel file which when opened drops a malware capable of spying on infected systems. Mazagon Dock Shipbuilders Limited (MDL) is a Public Sector Undertaking of Government of India (Ministry of Defence) and it specializes in manufacturing warships and submarines for the Indian Navy. In this blog post I describe a new attack campaign where cyber espionage group targeted the users of Mazagon Dock Shipbuilders Limited (also called as ship builder to the nation). In my previous blog posts I described attack campaigns targeting Indian government organizations, and Indian Embassies and Ministry of External affairs.
0 kommentar(er)
