Researchers Discover New Non-Malware Obfuscated Targeted Attack
A simple tweet ultimately unraveled a complex, fileless attack. The tweet highlighted encoded text in a PowerShell script that said ‘SourceFireSux’. This ultimately led researchers to discover and analyze an attack comprising a malicious Word document and a PowerShell RAT communicating with its C&C servers via unblocked DNS requests. The attack is completely fileless — non-malware designed to be invisible to standard anti-malware defenses.
SourceFire was acquired by Cisco in 2013 for $2.7 billion. The ‘SourceFireSux’ reference sparked the interest of researchers at Talos, Cisco’s threat intelligence arm, who unsurprisingly wanted to know more. Talos was formed from SourceFire’s vulnerability research team together with Cisco’s own researchers.
A Talos search for the encoded string uncovered a single sample that had been uploaded to the public malware analysis sandbox, Hybrid Analysis.
A search for the decoded string located a single Pastebin entry uploaded by @JohnLaTwC (Twitter’s @JohnLaTwC is John Lambert, general manager, Microsoft Threat Intelligence Center) on Feb. 16, eight days before the tweet. The associated hash led to a malicious Word document that matched the details found in Hybrid Analysis.
Now knowing what they were looking for, Talos was able to locate additional samples and reconstruct and analyze the attack. They found a complex example of the growing tendency for attackers to manipulate existing and trusted Windows facilities rather than install malware that can be detected.
The attack is delivered by a phishing email as a weaponized Word document. The recipient is persuaded to open the document by the assertion, “This document has been secured by McAfee. To view this Protected Document, click Enable Content.” Doing so enables a VBA macro which opens PowerShell and loads and unpacks the malicious code without requiring any file to be written to disk.
The script checks for admin status and PowerShell version. Depending on whether it has Administrator or User access, it sets registry entries (HKLM for Admin or HKCU for User) to achieve persistence. If PowerShell is 3.0 or later, the payload is written to an Alternate Data Stream. If it is an earlier version, the payload is encoded and written to the location defined in the registry entries.
The script also contains arrays of domains from which it periodically selects a C2 domain to query. Querying these obtains TXT records containing further PowerShell commands.
PowerShell has effectively become a backdoor that is never written to disk, and the actual process is complex.
“It takes the code received in the DNS query response and defines a string variable which contains the code,” explained Talos researchers Edmund Brumaghin and Colin Grady. “It then calls the decode function from the third stage and passes the decoded string into IEX to further extend the Powershell environment. Once this is complete, it then calls a function in the newly extended environment to execute the fourth stage code along with specific parameters. These parameters include the fourth stage C2 domain to use as well as the program to execute which in this case is the Windows Command Line Processor (cmd.exe). This is interesting because it results in the fourth stage payload never actually being written to the filesystem of the infected system.”
This is clearly an attack designed to compromise a specific target. Everything discovered by Talos indicates that the discovered samples are recent.
“The domains associated with the Powershell sample that we analyzed from Hybrid Analysis were initially registered on 2017-02-18,” note the researchers. “According to data available within Umbrella [a product acquired by Cisco when it purchased OpenDNS], the majority of DNS activity related to the domains used by the powershell sample appears to have occurred between 2017-02-22 and 2017-02-25. There was less activity associated with the other identified sample, with most occurring on 2017-02-11.”
Talos was unable to get the C2 infrastructure to issue any commands. The implication is that it is a targeted attack using different C2 domains for individual targets. It would be simple to adjust the lure in the initial phishing email and the hard coded C2 domains for each individual target — so this could be a brand new attack or an attack only just discovered.
It is, say the researchers, “a great example of the length attackers are willing to go to stay undetected while operating within the environments that they are targeting. It also illustrates the importance that in addition to inspecting and filtering network protocols such as HTTP/HTTPS, SMTP/POP3, etc. DNS traffic within corporate networks should also be considered a channel that an attacker can use to implement a fully functional, bidirectional C2 infrastructure.”