Sepulcher Remote Access Trojan

A Chinese-based APT (TA413) has been targeting European officials in a spear-phishing campaign, by deploying RAT dubbed Sepulcher. Diplomatic and legislative bodies, non-profit policy research organizations, and global organizations involved in economic affairs have all been victims of these attacks. The group has been delivering the malware, for over six months now, through two separate campaigns:

  1. In March 2020, a phishing campaign was designed, masquerading as World Health Organization’s guidance on COVID-19 critical preparedness. The emails contained a weaponized RTF attachment. When a target clicked on the weaponized RTF attachment (named “Covid.rtf”), it exploited a Microsoft Equation Editor flaw. It then installed an embedded malicious RTF object, in the form of a Windows meta-file (WMF), to a file directory.
  2. At the end of July 2020, another campaign was created to target Tibetan dissidents using a strain of Sepulcher malware. The emails, which purported to come from the ‘Women’s Association Tibetan’, included a malicious PowerPoint attachment. When the PowerPoint attachment was executed, it called out to the IP 118.99.13.4 to download a Sepulcher malware payload “file.dll.”

Sepulcher is a basic RAT payload capable of performing reconnaissance within the infected host. Sepulcher obtains information about:-

  • Drives
  • File Information
  • Directory Statistics
  • Directory Paths
  • Directory Content
  • Running Processes
  • Services.

This new RAT enables administrative controls, allowing the threat actor to alter or download file system. This is then used to carry out malicious activities, leading to further compromise of the network or systems.

Impact

Recently, attackers have been accused of impersonating the World Health Organisation and Australian Medical Association to launch fake global COVID-19 campaigns to gather intelligence covertly. This will lead to:-

  1. Misuse of the brand for fraudulent activities
  2. Misbranding leads to loss of goodwill and reputation
  3. Identity theft of the users
  4. Misuse of the data
  5. Compromise of the download which can install malicious software over the system and later on can be treated as bots
  6. Significant cost risk associated with all of the above

Indicators of Compromise

  1. http://107.151.194.197:80
  2. 107.151.194.197
  3. http[:]//118.99.13.4:8099/file[.]dll
  4. dalailamatrustindia.ddns.net
  5. http://107.151.194.197:8080
  6. 9f9723c5ff4ec1b7f08eb2005632b8b1
  7. http://118.99.13.4:1234/qqqzqa
  8. e47a821ef85d722f01f10adff227f45552e4ec73
  9. http[:]//107.151.194.197:443
  10. 118.99.13.4
  11. tseringkanyaq@yahoo.com
  12. f6f9224c389ee46b28fe04847de4afb1e33ca03763c9e5c41bc61a29eab7f669
  13. mediabureauin@gmail.com
  14. welfaretibet.tk
  15. 4a4a959aef64ea48e2b831468119180d0af4b5b685c35170f5db3f001b9cc319
  16. ff301b3295959a3ac5f3d0a5ea0d9f0aedcd8da7c4207b18f4bbb6ddaa0cdf22
  17. e89614e3b0430d706bef2d1f13b30b43e5c53db9a477e2ff60ef5464e1e9add4

Preventive Measures

  1. Do not open suspicious, irrelevant emails, especially ones received from unknown/suspect senders.
  2. Use spam filters and an antivirus program to detect and filter bad emails.
  3. Enable an endpoint security product or endpoint protection suite.
  4. Keep your software up-to-date.
  5. Back up data on a regular basis and keep archived copies offsite and offline.
  6. User privilege escalation should be strong, permit only admin to access.
6 Likes

This summarizes the entire incident in a very detailed way, thanks for the write up :slight_smile:

1 Like

The fact that the IoCs are mentioned is Awesome!

1 Like

@jimmy_kernel @gabri3ls3c Stick around in this community, there are more cool write ups coming your way!

1 Like

There is a lot of pishing attacks on the name of the World Health Organisation. Thanx prevention of awareness!

Great write up, It is really helpful