Afghan-Based Attack Disguised as News
Researchers have detected a new Afghanistan-based attack disguised as a recent article from a Middle Eastern news network about the next Shanghai Cooperation Organisation Summit. Attackers used a malicious document that contained an excerpt from a story and titled it “Afghanistan – ‘Shanghai Spirits’ Contributes to Afghan Peace.”
In order to read the full story, readers were asked to click “enable content” because the document was protected. Duping the victims into clicking on the malicious document was the first stage in a multi-staged attack involving various servers and artifacts. The attack aims to install a Metasploit backdoor using “an interesting .NET downloader which uses a custom encryption method to obfuscate process memory and evade antivirus detection,” according to research reported by AlienVault.
An Afghan user uploaded the malicious file, within which the the macro malware, dubbed "GZipDe," was embedded so that it executed a Visual Basic script upon opening. The script, stored as a hexadecimal stream, then executed the next task from a hidden PowerShell console. Because the server is now offline, the researchers do not have access to the next step in the infection chain; however, they did find the original reverse-tcp payload publicly available (with an additional layer of encryption payload) on GitHub.
“The malware allocates a new memory page with execute, read and write privileges. Then it copies the contents of the decrypted payload and launches a new thread to execute it,” researchers wrote.
The research team has only seen one sample of the malware but said that it seemed very targeted. “Given the decoy document is in English and uploaded from Afghanistan, it may have been targeting someone in an embassy or similar,” Chris Doman, AlienVault security researcher, wrote in an email.
Researchers also noted that Metasploit is growing in popularity for targeted attacks and said that there have been ongoing discussions around what makes Metasploit a good choice for attackers. “Essentially it makes attribution more difficult and they will use the minimum required effort to achieve their objectives,” Doman wrote.
Source: Information Security Magazine