Spoofed “icegate.gov.in” emails delivering JAR-based RAT/Stealer

Praj Shete

Executive Summary

Email remains one of the most exploited attack vectors for cybercriminals, who often leverage domain spoofing to impersonate trusted entities. Domain spoofing involves forging an email sender’s address to make it appear as if the email originates from a legitimate domain, deceiving recipients into opening malicious attachments or clicking on harmful links.

One such recent incident targeted users for our client by spoofing icegate.gov.in, an official Indian government portal for the Indian Customs Trade Portal, to deliver Remote Access Trojans (RATs) through email-based phishing campaigns. Attackers craft these emails to appear legitimate, exploiting trust in government agencies to bypass security measures. Once a RAT is executed on a victim's machine, it can provide attackers full remote control, enabling data theft, keylogging, and further system compromise.

Technical Findings

Our client received emails claiming from “noreply@icegate.gov.in” crafted in a way to receive shipping invoices in a legitimate-looking PDF attachment. However, the attachment was not an actual PDF; it was a thumbnail image of the PDF attachment embedded with a link that redirected to a malicious domain that hosted the stage 1 payload.

We can hover over the image to view the link it would redirect to.

Once the link has been accessed it will download “Shipping Bill 2625182 dated 2023122024.PDF.zip”. As we extract the zip file two additional JAR files would spawn from the downloaded content.

1. Shipping Bill 2625182 dated 2023122024.PDF.jar

2. ENTER.jar

For execution javaw.exe a legitimate program to execute JAR-based payload was used.

Command Line:

“C:\Program Files\Java\jre-1.8\bin\javaw.exe” -jar “C:\Users\****\AppData\Roaming\Shipping Bill1621165 dated01072024.PDF.jar”

“C:\Program Files\Java\jre-1.8\bin\javaw.exe” -jar “C:\Users\****\AppData\Roaming\ENTER.jar”

Upon this execution two important findings were concluded:

1. To achieve persistence the malware placed itself into the Startup folder

   C:\Users\****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ENTER.jar

2. To give a callback to its Command and Control server it made DNS calls to the domain iyiochalogs[.]myddns[.]com. We are confident enough that this was made by the malware itself as we can see in AnyRun Sandbox[1] as well as the Virus Total threat intelligence report[2].

Fortunately, the remote C2 server didn't respond and the attack didn't progress and a full endpoint compromise was avoided. However, one key takeaway was that a government-based domain didn't have their SPF, and DMARC records which led attackers to easily spoof the domain.

Malware Capabilities

From the initial static analysis of the sample, the malware family can be classified as RAT and Stealer. From a detailed investigation, this is STR-RAT, java Java-based rat, used commercially as attachments[3].

The malware had remote commands hardcoded in the code which is why it was a RAT which gave attackers an opportunity to attackers to execute commands remotely. Secondly, it uses some Browser-based APIs to steal session cookies, usernames, passwords, and much more.

Root Cause Analysis

From the email headers attached below, it is clear that icegate.gov.in was spoofed based on the following findings:

1. Sending mail servers looks suspicious.

2. IPs are blacklisted.

Received: from icegate.gov.in (unknown [194.59.30.164])
 by mail.kqenix.com (Postfix) with ESMTPSA id E12E82BA75
 for <xxx@xxx.com>; Mon, xxx 06:12:58 +0200 (EET)
Received: from mail.kqenix.com (unknown [217.156.66.168])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by mx1.xxx.com (Postfix) with ESMTPS id D23894000D
 for <xxx@xxx.com>; Mon, xxx 09:43:00 +0530 (IST)
Return-Path: <noreply@icegate.gov.in>
From: <noreply@icegate.gov.in>
To: <xxx@xxxx.com>
Subject: [ATP - Suspicious] [ATP - Suspicious] Electronic Final LEO copy of SB for Shipping Bill6265182 dated 23122024
X-Intloopheader: 0
Date: Mon, xxx 09:42:59 +0530
Message-ID: <20241222201259.206064AC69F75282@icegate.gov.in>
MIME-Version: 1.0
Content-Type: multipart/related;
 boundary="----=_NextPart_000_0066_01DB7FA1.F53D2950"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQCzY/o6Rn4kWo+nJFwJUHckMPYRJA==

Threat Intel

Such kind of attack paths are heavily targeted in India and previously targeted Indian Commercial Banks (https://www.seqrite.com/blog/java-rat-campaign-targets-co-operative-banks-in-india/).

Also, there is a strong possibility that there is Pakistan APT (SideCopy) is involved in this type of attack for majorly three reasons:

1. Targets government bodies.

2. Sends zip/pdf/doc as phishing attachments.

3. Specializes in creating RATs/stealers.

However, with full attack path this is not clear, concluded based on initial findings and general attack pattern from this APT.

Detection Mechanisms and Recommendations

1. Enable DMARC policy: This policy determines what should your email server do when SPF, and DMARC results fail or are missing.

2. Create a rule in your SIEM/EDR: Create a hunting rule for executable double extensions like pdf.jar, xlsx.exe, and jpeg.vbs, png.ps1 as such extension trick users into opening the malicious executables.[4]

3. Analyze parent-child processes: Knowing what is normal in the analysis of parent-child processes is the key to identifying endpoint-based threats. Understanding the normal will certainly lead to detecting abnormal

4. User Awareness: Train your users in identifying such emails and make them aware of the impacts of email-based threats.

IOCs

• hxxps://ernsontools[.]com/Shipping%20Bill1621165%20dated01072024[.]PDF[.]zip

• hxxps://qibaut[.]com/SHIPPING%20BILL%20SB[.]PDF[.]zip

• hxxps://natpmail2[.]netcore[.]co[.]in/fmlurlsvc/?fewReq=:B:JV07MDQwOyd3PDMvMSdoZTwxMDsxMCdyaGZvYHV0c2Q8NGUzZDBnMjkwMGdnNTcwN2IzZTFgMDlkZGAyZzFlZGdlYjJiZTVgOCd1PDA2MjcwOTA0NTQncGhlPDQxN0ZlNWRTMTE3MTgzLDQxN0ZlNWRSMTE3MTgzJ3NicXU8cXNgd2Rkb0FrYGhycXNob2YvYm5sJ2I8OTcnaWVtPDE=&url=hxxps%3a%2f%2flurnisbiotech[.]com%2fShipping%20Bill%20No6999594Dt06012025[.]PDF[.]zip

• iyiochalogs[.]myddns[.]com

• dc2de34c6685749c35894a7135efbcb7

References:

1. https://app.any.run/tasks/3ec60b68-62e1-4750-87b5-1579624e1429

2. https://www.virustotal.com/gui/file/e1da2601b928676af5906e2bd07e2303d80c34f8fae2807a483974ffe29047c8

3. https://www.fortinet.com/blog/threat-research/new-strrat-rat-phishing-campaign

4. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_susp_double_extension/

5. https://malpedia.caad.fkie.fraunhofer.de/actor/sidecopy

6. https://cyble.com/threat-actor-profiles/sidecopy/