Operation Hangover: Q&A on Attacks

Today Norman and the Shadowserver Foundation released a joint detailed report dubbed Operation Hangover, which relates to a recently released ESET blog about a targeted cyber/espionage attack that appears to be originating from India. Symantec released a brief blog around this incident last week and this Q&A will provide additional information relevant to Symantec around this group.

Q: Do Symantec and Norton products protect against threats used by this group?
Yes. Symantec confirms protection for attacks associated with Operation Hangover through our antivirus and IPS signatures, as well as STAR malware protection technologies such as our reputation and behavior-based technologies. Symantec.cloud also detects the targeted emails used by this group.

Q: Has Symantec been aware of the activities of Operation Hangover?
Yes. As called out in our initial blog, multiple security vendors have been tracking this group. Symantec has been privy to information surrounding this group for a period of time and has been actively tracking their work while ensuring that the best possible protection was in place for the various threats used by them.

Q: Where does the name Operation Hangover come from?
Norman and Shadowserver derived the name Operation Hangover, as one of the most prevalent malwares used by this group contains a project debug path containing this name.

Q: How does a victim get infected?
The initial compromise occurs through a spear phishing email sent to the target. The email contains an attachment using a theme relevant to the target. Figure 1 shows the different stages in the Operation Hangover attack.


Figure 1. Operation Hangover attack

The email contains a malicious attachment that, if opened, infects the victims system or attempts to use an exploit against the target victim's system. If successful, the first stage malware is loaded onto the victim’s system. This malware, in the most part, is from a family of Visual Basic downloaders known as Smackdown.

Following reconnaissance of the infected system by the attacker, they can then decide whether to download the second stage of malware that consists of information stealers mostly written in C++ from a malware family known as HangOve. There are several possible modules from the HangOve family downloaded, which can perform the following taks:

  • Keylogging
  • Backconnect
  • Screen grabber
  • Self-replication
  • System gathering

Q: Does Symantec know who this group is targeting?
Yes. Symantec telemetry has identified Pakistan as being the main target of this attack. With defense documents being used as a lure in these attacks, it would suggest the targets of interest are government security agencies. Symantec has however also observed this group taking part in industrial espionage in countries outside of Pakistan.

Q: How widespread is the threat?
As seen in figure 2 and 3, Symantec telemetry is reporting Pakistan as being the main country impacted by this group. These findings correspond to other researcher’s findings in relation to this group. As previously stated, it is also evident that the operations of this group does not solely focus on one target or region.


Figure 2. Heat map of Symantec telemetry for Operation Hangover related detections


Figure 3. Top 10 countries showing Symantec telemetry for Operation Hangover detections

Q: What name does Symantec give to threats used by this group?
Symantec has detection in place for the threats used by this group under the following detection names:

For Symantec customers to identify this group, we are remapping the main components of this campaign to the following:

The following Intrusion Prevention Signature (IPS) is also in place.

  • System Infected: Trojan.Hangove Activity

Q: Do Symantec/Norton products protect against known exploits used in this campaign?
Yes. The known vulnerabilities being used by this group are listed below along with the Symantec protections. At this time there is no evidence to suggest that the group are using, or have at any time used, a zero-day vulnerability in their attacks.


Q: How will this report affect the group orchestrating Operation Hangover?
Similar to other cases, despite the exposure of the Operation Hangover group, Symantec believes they will continue their activities. Symantec will continue to monitor their activities and provide protection against these attacks. As always, we advise customers to use the latest Symantec technologies and incorporate layered defenses to best protect against attacks by groups of this kind.