Dropping Elephant used a watermark and the same TTPs like APT Sidwinder.

After an article of Unit 42 about Dropping Elephant,

https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/

I make some researches about the dropper used the vulnerabitliy CVE cve-2017–11882 named Port Details.doc. I found the file. I’ve analysed it and i found another watermark like SideWinder in the exploit.

I develop a yara rule to make hunting on vti:

rule dropper_elephant {
 strings:
 $head = “{\\rt”
 $water = { 33 35 33 32 33 34 36 36 36 31 33 36 33 33 36 31 33 35 33 30 30 30}
 condition:
 $head at 0 and $water

}

I found another malware and I check the C2.

The malware d3122d94a7fde33bc1f35ab49f56408a19a46847cce3686ff40c7a5f2ff71ca1 contact 203.124.43.229 ans behind the domain we found fst.gov.pk

and another malware 52c10f300f15e6b4f7e3e1989a35c7d2719217f4d3d64fe0afcf83bb922ec61f of the same family contact the URL fst.gov.pk/images/winsvc

In the same conclusion by Unit 42.

Another thing interesting, it’s the sequence of TTPs. It’s very close to Sidewinder in another campaign. The groupe use HTA hxxp://jtabserver.org/bins/index.hta by an RTF File. This hta dropped an poswershell content to install the backdoor.

I think a commercial tool is behind this exploits to install the backdoor.

If you have intel about this tool, I’m very interesting by that.