Digital Warhead: Dissecting TTPs of a Pro-Taliban Hacking Group

Content

In this post, I share a discovery regarding a new threat encountered while browsing a tech-related group comprised of Afghan hackers. I came across a series of tactics used by this group to hinder malware forensics.
Digital warhead image
Unlike most APTs that focus on evasion, this group employed behavioral analysis techniques specifically designed to thwart malware forensic efforts. I am translating these tactics into English.

These methods were linked to a pro-Taliban hacking group; it’s unclear whether they were the actual Taliban or sympathizers, but they were Afghans. Their tactics consist of up to 10 behavioral analysis checks to determine whether the computer running the malware is operated by a real human or a sandbox/testing environment.

Proof of Concepts

I have replicated only two of these tactics. While I will be sharing PoC videos and VirusTotal analysis links, I won't share actual code samples to prevent misuse by malicious actors. For legal and ethical reasons, I cannot reveal where I found these tactics, due to national security concerns. For demonstration, I used C++20 to write these two programs. I didn't perform any optimizations; however, it seems the group coded the tactics using existing functions loaded from DLLs.

Check Directories for Old Files

Objective: Check special directories for any files created by the user before the last 30 days. There must be at least 10 files in all directories combined.
Process:
  • Start a timer set for 4 hours
  • During this period, log the files found earlier and monitor if they are modified after the timer begins
  • The check passes if at least one file is modified within this time


Demonstration: For demonstration purposes, I created a program that checks for the existence of 5 files.

PoC Video:



VirusTotal:
https://www.virustotal.com/gui/file/4c1b9e55b6b55b04161dd23b5dfb8feafcedd925481c77cc3203f3442903dcaf/behavior

Create Popups to Gauge User Interaction

Objective: Create popups periodically to detect user interactions.
Process:
  • Start a timer for 60 minutes
  • During this time, create 5 popup messages, each with only a close button (or “X” icon)
  • Log whether the user interacts with these popups by closing them.
Demonstration: For demonstration purposes, I created a program that shows a popup every 1 minute.
PoC Video:



VirusTotal:
https://www.virustotal.com/gui/file/1110351bb371c3a7c72cb5dade184075e2bd87ab04e36806098541c1b37e53cb/behavior

Other Techniques (Not Replicated)

Other techniques used by the group, which I am not replicating, include:
  1. Monitoring clipboard activity for over 4 hours to see if the user has copied and pasted
  2. Tracking mouse and keyboard activity over 4 hours, checking for periods of idleness
  3. Checking if the user has any browsing history on Chrome, Explorer, or Firefox; at least 100 browsed queries should be present
  4. Locking the user's computer screen during activity or interaction with an application to see if the user returns and resumes interaction
  5. Checking the user’s installed software to see if they interact with at least one of them for 10 minutes within the next 4 hours
  6. Detecting the primary browser used previously and checking if the user uses it again for at least 10 minutes within the next 4 hours
  7. Logging keystrokes to determine if the user types at least 30 real words within the next 4 hours
  8. Checking computer audio output and input devices for sound activity, observing changes in volume over 8 hours to determine media usage


Why Wasn't This Discovered Earlier?

These tactics may have been used in campaigns previously, but why haven’t they been documented?
The likely reason is that most threat hunters and malware analysts do not understand Pashto and Dari - the primary languages used by this Afghan hacking group. As an Afghan who understands both languages, I was able to decode these tactics.

There may not be many Afghan malware analysts willing to publish such research for fear of retribution. This could explain the scarcity of similar discoveries.
Now that I’m here, more analyses of this kind may follow. If you are into threat hunting and geopolitics, you may want to bookmark my website for future updates.

Observations on Their Methods

One curious aspect of their approach is that they perform these checks sequentially over a longer period, rather than all at once. This suggests that they were not focused on immediate gains.

The malware was likely built for espionage or long-term data exfiltration, as performing all these checks sequentially could take days. In contrast, ransomware operators seek immediate profit, while cyber espionage groups can afford to wait longer.

Proposed Countermeasures for This Type of Malware

If you have a sandbox environment to analyze malware employing 10 behavioral checks, that’s great. However, most people do not. I shared these insights to raise awareness of emerging cyber threats.

Future Directions:

We should build AI-powered sandbox systems that mimic human behavior to analyze such malware effectively.

A proposed AI-based analysis tool could work as follows:
Each check has a set of requirements, right?
An automated machine could modify the testing environment based on each check’s requirements, then rerun the malware to meet those requirements, moving on to the next check in sequence.

A potential challenge arises if attackers randomize the order of checks each time the program runs, which could circumvent a straightforward sequential analysis.

Note: All links and demonstrations are for educational purposes. Please use caution when analyzing or replicating malware techniques.



Posted on: January 12, 2025 06:48 PM