Thanks to Adtiya Sharma for providing support in the research.ĭocument is delivered as an email attachment The Zscaler ThreatLabZ team is continuously monitoring threat actors and ensuring protection against such threats. One such evasion trick that we covered in our earlier blog was the use of FakeTLS header. they are using an SSL/TLS connection and a host header set to a legitimate Microsoft website. Threat actors always try to find ways to blend into real traffic. In this case. Check out our Threat Library for more details about. In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various levels. Note: The document will crash in this case but if fixed to run, the Zscaler Cloud Sandbox will block its activity. On the other hand, the watermark value (305419896) found in the beacon configuration has also been used by the Trickbot Group.įigure 8: The Zscaler Cloud Sandbox report for this malware. But the use of a proper GIF header for shellcode seems to be new for them. But here are few observations. The group OceanLotus is known to use DKMC, Cobalt Strike, and fileless payloads. Noticeably, both beacon DLLs use a -based C&C, and the watermark is exactly the same in both: 305419896.Īs Cobalt Strike is a well-known commercial tool for red teams, we are not getting into its technical details.Īs of now, we are not able to attribute this attack to a specific actor with enough confidence. In this case, the beacon payload is downloaded from 37/QBah. The shellcode and additional payload are similar except for the C&C addresses. NET payload, which injects an RSA-encrypted payload into a notepad.exe file after decryption with the MD5: 9c2ee383d235a702c5ad70b1444efb4d The beacon is configured to point to the following C&C address “,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books” and the same host field and user agent. The shellcode decrypts and executes this payload, which turns out to be a Cobalt Strike beacon.įigure 6: The shellcode and payload before decryption.įigure 7: The shellcode and payload after decryption. This GIF file, just after the GIF magic bytes contains a shellcode followed by an XOR-encrypted payload. User-Agent: Mozilla/5.0 (Windows NT 6.1 WOW64 Trident/7.0 rv:11.0) like Gecko Interestingly, this shellcode uses a fake HTML host header and a predefined User-Agent field, in this case, to download a GIF payload from the C&C IP over HTTPS.įigure 5: The shellcode starting with well-known module list access instructions. This shellcode on execution downloads another shellcode but with a valid GIF header, again borrowing a technique from DKMC. If that is the case, then it tries to run the PowerShell in 32-bit mode with the shellcode injection script code as an argument. It checks if the PowerShell script is running with a 64-bit PowerShell process using the command int pointer size, which will be 8 bytes on a 64-bit process. The PowerShell script is designed to run the shellcode in 32-bit mode only. Part of the PowerShell command after the base64 decoding looks like this:įigure 4: Part of the PowerShell code designed to run shellcode.Īlmost exact code from the DKMC framework is used to run embedded base64 encoded shellcode. The code obfuscation is very basic. It just subtracts value 4 to decrypt the PowerShell command.įigure 3: The macro command decryption function. Though the macro is corrupt, we were able to extract the PowerShell command using static analysis. Interestingly, the document contained corrupted macro code leading us to believe that it was built in a hurry using some automated macro obfuscation tool without proper testing. The document contains one line that reads “Geostrategic article for SE Asia Security Analyst,” indicating that the target might be a security analyst for southeast Asia.įigure 2: The malicious document containing a new article reference. The document is named “ India-China border tensions.doc” and contains an article by The Times of India article about the same topic.įigure 1: The infection flow of this attack. It appears as if victims were sent a malicious lure document as an email attachment. It relies on the Cobalt Strike beacon using a malleable C&C profile.It uses the DKMC framework to hide communication in plain sight using steganography.The shellcode uses a fake HTTP host field while communicating with the command and control (C&C) server to download the shellcode. The attack is fileless as no payload is written on disk and no persistence is created.The Zscaler ThreatLabZ team recently came across one such attack trying to leverage the current India-China border dispute to lure victims to open an attached malicious document. Malicious threat actors are always ready to take advantage of current affairs to maximize the success rate of their attacks.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |