PowerShell used for spreading Trojan.Laziok through Google Docs

Introduction

Through our multi-flow detection capability, we recently identified
malicious actors spreading Trojan.Laziok malware via Google Docs. We
observed that the attackers managed to upload the payload to Google
Docs in March 2016. During the brief time it was live, users accessing
the malicious page from Internet Explorer (versions 3 to 11) would
have become the unwilling hosts for the infostealer payload without
any security warning. After we alerted Google about its presence, they
quickly cleaned it and the original URL involved in propagation also
went down.

The Payload

Trojan.Laziok reportedly serves as a reconnaissance tool that
attackers use to collect information about systems they have
compromised. It has been seen previously in a cyber espionage campaign
targeting the energy sector, particularly in the Middle East[i]. In that campaign, the malware was spread
using spam emails with malicious attachments exploiting the
CVE-2012-0158 vulnerability.

The techniques used for delivery in this case involve exploiting
users running versions of Internet Explorer that support VBScript.

Attack Delivery Point

The attacker stored the first stage of the attack on the Polish
domain hosting site cba[.]pl. As seen in Figure 1, the first stage
initiates the attack by running obfuscated JavaScript from
www.younglean. cba[.]pl/lean/.

Figure 1. Obfuscated code shown in the response

Once decoded, the JavaScript unpacks and runs vulnerability
CVE-2014-6332 through VBScript execution in Internet Explorer
(versions 3 to 11), exploiting the memory corruption vulnerability in
Windows Object Linking and Embedding (OLE) Automation to bypass
operating system security utilities and other protections and thus
enabling attackers to enter into ”GodMode” function.  CVE-2014-6332
usage, along with GodMode privileges abuse, has been used as a
combination since late 2014 via a known PoC[ii], as seen Figures 2a
and 2b:

Figure 2a. CVE-2014-6332 usage

Figure 2b. Function call to runmumaa() after
“GodMode” access changing the safemode flags

Next, the runmaa() function downloads the malicious payload from
Google Docs through PowerShell. PowerShell is used to download malware
and execute it inside defined %APPDATA% environment variable path via
DownloadFile and ShellExecute commands. All VBScript instructions and
PowerShell scripts are part of the obfuscated script inside
document.write(unescape), shown in Figure 1.

PowerShell is also useful for bypassing anti-virus software because
it is able to inject payloads directly in memory. We have previously
discussed active
PowerShell data stealing campaigns from Russia
[iii]. It seems the technique is still popular
among campaigns involving infostealers, and this one was able to evade
Google Docs security checks. The payload download link from Google
Docs – seen in Figure 3 showing the de-obfuscated code – fetched live
malware for victims who ended up on the aforementioned Polish website.

Figure 3. Using PowerShell to fetch payload
hosted on Google docs link

Payload Details

The downloaded payload is infostealer Trojan.Laziok, as evidenced by
its callback trace and the presence of the following data:

00406471 PUSH 21279964.00414EED ASCII "open"
0040649C MOV EDX,21279964.004166A8 ASCII
"idcontact.php?COMPUTER="
004064B1 MOV
EDX,21279964.00415D6D ASCII "&steam="
004064D2 MOV
EDX,21279964.00416D96 ASCII "&origin="
004064F3
MOV EDX,21279964.00416659 ASCII "&webnavig="
00406514 MOV EDX,21279964.00416B17 ASCII "&java="
00406535 MOV EDX,21279964.00415601 ASCII "&net="
00406556 MOV EDX,21279964.00414F76 ASCII
"&memoireRAMbytes="
0040656B MOV
EDX,21279964.0041628C ASCII "&diskhard="
0040658E
MOV EDX,21279964.00414277 ASCII "&avname="
004065AF MOV EDX,21279964.00416BFC ASCII
"&parefire="
004065D0 MOV EDX,21279964.0041474A
ASCII "&install="
004065E5 MOV
EDX,21279964.00414E12 ASCII "&gpu="
00406606 MOV
EDX,21279964.004164B7 ASCII "&cpu="
00406659 MOV
EDX,21279964.004170F9 ASCII "bkill.php"
004066B9 MOV
EDX,21279964.00415B79 ASCII
"0000025C00000C6B000008BB000006ED0000088900000453000004CE0000054100000B75"
004066ED MOV EDX,21279964.004149CD ASCII
"install_info.php"
00406735 MOV EDX,21279964.00415951
ASCII "pinginfo.php"
00406772 MOV
EDX,21279964.00416B6B ASCII "get.php?IP="
00406787 MOV
EDX,21279964.0041463F ASCII "&COMPUTER="
0040679C
MOV EDX,21279964.00416DF5 ASCII "&OS="
004067B1
MOV EDX,21279964.00415CB8 ASCII "&COUNTRY="
004067C6 MOV EDX,21279964.00416069 ASCII "&HWID="
004067DB MOV EDX,21279964.00414740 ASCII
"&INSTALL="
004067F0 MOV EDX,21279964.00415BE3
ASCII "&PING="
00406805 MOV EDX,21279964.004158E2
ASCII "&INSTAL="
0040681A MOV
EDX,21279964.00414D3E ASCII "&V="
0040682F MOV
EDX,21279964.00414E5D ASCII "&Arch="
00406872 MOV
EDX,21279964.00414166 ASCII "post.php"
00406899 MOV
EDX,21279964.00414EB0 ASCII "*0"

Above instructions of the payload, when unpacked, highlight the
typical traits of Trojan.Laziok. The infostealer tries to collect
information about computer name, CPU details, RAM size, location
(country), and installed software and antivirus (AV). Our MVX engine
also shows that it attempts to access popular AV files, such as
installer files for Kaspersky, McAfee, Symantec and Bitdefender. It
also blends in by copying itself to well-known folders and processes
such as:

C:\Documents and Settings\admin\Application Data\System\Oracle\smss.exe

The payload attempts to call back to a known bad Polish server [hxxp://]193.189.117[.]36]

We observed the first instance of this attack on March 13, 2016. The
malware was available on Google Docs until we alerted Google about its
presence. Users are not usually able to download malicious content
from Google Docs because Google actively scans and blocks malicious
content. The fact that this sample was available and downloadable on
Google Docs suggests that the malware evaded Google’s security checks.
Following our notification, Google promptly removed the malicious file
and it can no longer be fetched.

Conclusion

FireEye’s multi-flow detection mechanism catches this at every
level, from the point of entry to the callback – and the malware is
not able to bypass FireEye sandbox security. PowerShell data stealing
campaigns have also been observed spreading through document files
with embedded macros, so corporate environments need to be extra
careful regarding the policy and regulation of PowerShell usage –
especially since the abuse can involve some trusted sources that
sometimes have exemptions, with whitelists from some security vendors
being one example. Or they can keep using FireEye.

 

 

[i] http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector
[ii] http://blog.trendmicro.com/trendlabs-security-intelligence/a-killer-combo-critical-vulnerability-and-godmode-exploitation-on-cve-2014-6332/
[iii] https://www.fireeye.com/blog/threat-research/2015/12/uncovering_activepower.html

 

 

This is a Security Bloggers Network syndicated blog post authored by Nick Harbour. Read the original post at: Threat Research Blog