Word files with macros are being used by a new strand of malware to download a PowerShell script from GitHub. a legitimate image file is further downloaded by this PowerShell script from the image hosting service, Imgur to decode a Cobalt Strike script on Windows systems.
This new strain has been linked to MuddyWater (aka SeedWorm and TEMP.Zagros), a government-backed advanced persistent threat (APT) group, first observed in 2017 while mainly targeting Middle Eastern entities by multiple researchers.
Earlier this year researchers shared details on a new macro-based malware that is evasive and spawns payload in multifaceted steps.
The malware strand that looks similar to MuddyWater ships as an embedded macro within a legacy Microsoft Word (*.doc) file, in the style of the APT group.
The embedded macro is run on opening the word document, according to tests conducted by researchers. The macro further launches powershell.exe and feeds it the location of a PowerShell script hosted on GitHub.
The single-line PowerShell script has instructions to download a real PNG file (shown below) from the image hosting service Imgur.
The pixel values of the image are used by the PowerShell script in calculating the next stage payload, even when the image in itself is benign in nature.
This technique of hiding code, secret data, or malicious payload within ordinary files, such as images, is known as steganography.
This is made possible with various tools like Invoke-PSImage, by encoding a PowerShell script within the pixels of a PNG file and generating a one-line command to execute the payload.
As per the researchers, the payload calculation algorithm runs a foreach loop to iterate over a set of pixel values within the PNG image and performs specific arithmetic operations to obtain functional ASCII commands.
Execution of Cobalt Strike payload
The scrip that’s obtained after decoding the manipulated PNG’s pixel value is a Cobalt Strike script.
A legitimate penetration testing toolkit, Cobaltstrike allows attackers to deploy beacons on compromised devices to remotely create shells, execute PowerShell scripts, perform privilege escalation, or spawn a new session to create a listener on the victim system.
The decoded string can also compromise an EICAR string to trick security tools and SOC teams into mistaking this malicious payload for an antivirus test being performed by security professionals.
However, according to researchers, the payload does contact the command-and-control (C2) server via a WinINet module to receive further instructions.
After the initial research, it was reported that the domain associated with the C2 server Mazzion1234-44451.portmap.host was no longer accessible. It was also noted that the domain was recorded close to the 20th December 2020. The GitHub account has got the script pushed the 24 December.
The adversaries have gained another advantage to mask their footsteps when most staff is likely to be away and less vigilant, with the emergence of this evasive malware strain.
Our internal experts suggest, that if you receive a suspicious Word document in a suspected phishing email or via any other means, do not open it or run “macros” within it.
This is not the first time legitimate services like GitHub and Imgur have been abused to serve malicious code, neither would it be the last time such platforms are exploited.
Recently, both GitHub and Pastebin were leveraged by a wormable botnet Gitpaste-12 to host its malicious payload and evade detection. Additionally, ransomware groups like CryLocker have been known to abuse Imgur for data storage.
To read more, please check eScan Blog
