A recently detected cyberattack campaign utilized tools built by combining multiple open-source techniques, Cisco Talos security researchers say.
Dubbed Frankenstein, the campaign involved attacks carried out between January and April 2019 and aimed at infecting victims’ machines with malware. The activity appears highly targeted, due to a low volume of documents found in various malware repositories.
The actors behind the campaign are believed to be moderately sophisticated but highly resourceful. They make heavy use of open-source solutions and use anti-detection techniques, such as checking for analysis tools and virtual environments, only responding to GET requests that contained predefined fields, and encrypting data in transit.
The security researchers have identified two malicious documents used in the campaign, likely served to victims via emails. One of the documents fetches a remote template and uses the CVE-2017-11882 exploit to execute code, while the second prompts the victim to enable macros and run a Visual Basic script.
In the first scenario, after the exploit, the malicious document runs a command script to achieve persistence by setting a scheduled task to run base64-encoded PowerShell commands that act as a stager, Talos reports.
One of the observed documents claimed to have been created by security firm Kaspersky. Two other documents were more targeted, with one containing logos apparently taken from Middle Eastern countries’ government agencies, while the other displaying an image of unspecified buildings.
In the second scenario, as soon as the macro is enabled, a Visual Basic Application (VBA) script containing two anti-analysis features is executed.
The script first queries Windows Management Instrumentation (WMI) to check if specific applications are running: VMWare, Vbox, Process Explorer, Process Hacker, ProcMon, Visual Basic, Fiddler, and WireShark. Next, it checks if specific tasks are running, namely VMWare, Vbox, VxStream, AutoIT, VMtools, TCPView, WireShark, Process Explorer, Visual Basic, and Fiddler.
The script stops its execution if any of these apps or tasks is discovered. Otherwise, it proceeds to call WMI and determine the number of cores allocated to the system and exits if the number of cores is less than two.
Following the evasion checks, MSbuild is leveraged to execute an actor-created .xml file likely based on an open-source project called “MSBuild-inline-task.” The file deobfuscates base64-encoded commands, which reveals a small script designed to obtain an additional payload from the command and control (C&C) server.
After decryption, the string received from the server launches a PowerShell Empire agent that attempts to gather specific information on the local system, including Username, Domain name, Machine name, Public IP address, administrative privileges, currently running processes, operating system version, and the security system’s SHA256 HMAC.
The gathered information is sent back to the C&C server via an encrypted channel. A specific user-agent string and a session key would be used and the threat actors could remotely interact with the agent to upload and download files and use plugins compatible with the Empire framework.
“A campaign that leverages custom tools is more easily attributed to the tools’ developers. One example of this was the code overlap in the VPNFilter malware that allowed us to associate the activity with the BlackEnergy malware. By contrast, operations performed with open-source frameworks are extremely difficult to attribute without additional insights or intelligence,” Talos concludes.